WEMIX Bug Bounty Program Terms and Conditions
Wemade Co., Ltd. (the "Company" or "Wemade") executes a WEMIX Bug Bounty program (hereinafter “The Program”) that compensates vulnerability reports of the WEMIX3.0 Testnet Wallet service. Those who wish to participate in the Program and receive a reward must agree with the terms and deemed as agreed to the terms at the time of submitting the vulnerability report.
- Article 1 (Introduction)
The Program aims to provide safe products and services to the user by promptly detecting the service vulnerability of the WEMIX3.0 Testnet Wallet service. The service vulnerability reports are subject to be compensated with a reward decided with Wemade's compensation policy (the "Reward"). Thus, the terms and conditions may change anytime, and participation after application of the amendment will be deemed as agreed to the amended terms and conditions.
- Article 2 (Eligibility and Application)
- Anyone who meets the following condition may participate in the Program.
- Retired employee of the company can participate in the Program after 2 years from retirement.
- Participant must not be an employee of the company (including affiliates).
- Participant must be able to communicate in English or Korean.
- Participant must not be in a country of economic sanction at the time of reward distribution.
- Participant must bear various expenses required for participating in the Program, necessary communications regarding the Program operation will be held through participant's email.
- Article 3 (Subject)
- The program's target services are as follows. Reports submitted with subjects not listed below are NOT eligible for compensation.
* Target services may change according to the future service operation and newly launching services.
* Participant must participate in the Program with WEMIX Wallet SDK, API provided by the Company's official homepage (https://wallet.test.wemix.com/) mentioned above or WEMIX Wallet APK provided by the Company through the official route. Please be acknowledged that all liability caused by the breach of this condition is solely bounded to the user.
- Article 4 (Report Period and Means)
- The Program is constantly held. Nevertheless, the Company may suspend the Program without prior notice when necessary.
- When a vulnerability is reported before the Program has been suspended pursuant to the preceding clause, the Company shall review such report despite the program suspension and the participant status remains until the result is announced.
- The participant must submit a vulnerability report according to Wemade's instructions. Other unofficial means of reporting are excluded from compensability.
- Article 5 (Compensation)
- By Company's discretion, Company decides the compensation range according to the severity level of the reported vulnerability.
- The compensation range is as follows.
|Vulnerability Level||Compensation Scale(WEMIX)|
|None Applicable||~ 5|
※ Provided that the above table expresses the maximum compensation standard, it does not guarantee maximum compensation of such vulnerability.
- Tax treatment for digital asset compensation is uncertain and it is the recipient's responsibility to report and pay a tax occurred with such transaction. The reward recipient has full responsibility to report and pay related tax and the Company does not provide any advice nor aid to the recipient regarding the occurring investment, legal, or tax etc. related to the Program participation and reward compensation.
- Article 6 (Submittal Review and Compensation Procedure)
- When the vulnerability report is received, the Company has sole discretion to review the submissions, confirm the eligibility, and decide which submissions are eligible. The review time depends on the complexity and completeness of the submissions and the number of submitted submissions.
- If the Company receives a report of similar vulnerabilities from the same participant, despite the multiple reports of vulnerability, it is considered as one vulnerability when it can be classified as the same vulnerability.
- If several participants report the same vulnerability, the reward is given to the first eligible submission.
- The company will notify the participant through e-mail if the vulnerability reported by the participant is subject to compensation. If the vulnerability reported is determined to be qualified as a bug bounty according to the conditions, the compensation scale will be informed and requests for the necessary documents for compensation.
- Participants must immediately provide the valid and reliable information (the "Information") needed for the Company's reward compensation when they are asked to provide information from the Company through their email account. If the participant does not provide information within 30 days from the company's request, it is considered to have given up the compensation right. The fee incurred at the time of compensation is borne by the company.
- Reward is compensated in WEMIX, it will only be compensated to the participant's wallet created on the WEMIX blockchain.
- The wallet address required for the compensation receive is limited to the participant's own wallet and the Company may require documentation for verification.
- The actual reward compensation will be held after the official launch of the WEMIX3.0 Mainnet Service, and the payment will be carried out by the Company or WEMIX3.0 Mainnet Service Operation.
- The Company's obligation to compensation is extinguished in the following cases.
- If the participant fails to respond within 30 days despite the Company sent a message related to the compensation to the participant's email address or if the participant responds insincerely to the request for additional information for confirmation (cases including error when typing email address) etc.
- If the participant fails to receive full or partial reward despite the Company has executed compensation procedure appropriately with the information received from the participant (cases including Information error, system defect, or participant is under economic sanctions etc.)
- Participant shall not transfer nor provide their compensation right as collateral to the third party.
- If the participant is found to have violated the Terms and Conditions, the Company may refuse to pay the compensation or request the return of the paid compensation.
- Article 7 (Prohibition and Exclusion)
- The participant shall not perform following acts.
- Act of Infringing on others' rights, Act of violating other laws and regulations
- Act of scanning the service with automated program
- DOS (Denial of Service) attack that loads services
- Physical attack on the company's assets or data centers
- Act of reading, deleting, modifying, and disclosing users' data using the vulnerabilities found
- Act of reading, deleting, modifying, and disclosing source code etc. using the vulnerabilities found
- Act of using unofficial or illegal program that is not officially provided the Company
- Other acts contrary to the Program's purpose and objective
- The Company may restrict participants who have violated the preceding clause and the violators are excluded from the compensation list.
- The following are excluded from the compensation list
- Vulnerability already reported
- Vulnerability that can be found only in jail-break smartphones
- Report not containing a POC code
- Vulnerability that can not be reproduced
- Vulnerability with a significantly low possibility of being exploited by an attacker
- Policy setting that presents only threat potential (e.g. Imperfect password complexity, etc.)
- Vulnerability with low possibility of exploitation due to demand of excessive user intervention
- UI/UX issues that do not affect security
- Random Force Attacks
- Article 8 (Rights and Submittal License)
- Pursuant to the article 3, within necessary scope for Program participation, the participant gains the right to edit, process, and replicate materials provided by the Company. Provided that the participant has completed the Program participation after submitting the report in accordance with Article 6 Clause 2, the participant is prohibited from use of materials provided by the Company including editing, processing, and duplicating and such saved data during the process must be discarded to an unrecoverable extent.
- If the participant has invented, devised, created, wrote a design(the “Invention”) during vulnerability analysis and correction review, all rights of the participants including copyrights of the invention etc. are transferred to the Company when participant submitted the vulnerability in form of a report accordance with the Article 6 Clause 2, and the Company can freely perform or terminate such right.
- If the invention etc. is in writing, the participant shall not insist or exercise the copyright of the work on the person designated by the Company and the Company.
- Participant understands and recognizes that the Company can develop similar data or develop the same data to the participant's submissions, and give up all claims that may be caused by the similarity to the participants' submissions.
- Participant guarantees that the submission participant's own work, did not use information owned by others or an organization, and has legal rights to provide the submission to the company.
- If the vulnerability information reported by the participants includes a vulnerability information of a service or product (the "External Product") provided by a third party, or a vulnerability occurred due to a combination of External Products, the Company, with its discretion, may provide such vulnerability information to the relevant external product provider or institution etc. without participants' consent. If the content of the report contains participant's invention etc., the rights to the invention etc. regarding the external product do not transfer to the Company but remain with the participant and the Company may freely use invention etc. about the external product in extent to the necessity for enhancement of service or product provided by the Company.
- Article 9 (Treated as Confidential Information)
- Participant must treat the vulnerability and information (details of attack method etc.) learned through vulnerability as confidential information. Except for the Company, the participant shall not disclose, expose, publish such information to the third party for any purpose even after the program has ended.
- If the contents written in the vulnerability report are written differently from the facts, or if the vulnerability is disclosed to a third party except for the Company (presenting in external conference etc.), and is found to violate the Non-Disclosure obligation, the following disadvantages may be applied.
- Excluded from the evaluation, compensation list for 1 year from the date of violation found
- If compensated already with such vulnerability, compensation is canceled, fully returned and executes legal action
- Article 10 (Use of Personal Information)
- The Company strives to protect personal information as stated in the related legislation such as Personal Information Protection Act.
- The Company uses the personal information [email] provided by the participants for the smooth use of the Program and other necessary office work.
- The Company shall retain the personal information received from the participant for a period of three years from the date on last vulnerability report, or for a period of retention under the relevant laws and regulations.
- Article 11 (Immunity)
- Participants participate in this program on their own responsibility, and the Company shall not be liable for any damages incurred by participants in this program except for reasons attributable to them.
- The Company shall not engage in any dispute between the participants involved in the Program or between the participants and third parties, and the participants shall settle the dispute at their own expense.
- Article 12 (Amendment)
- The Company may amend the contents of this Terms and Condition to the extent that it does not violate the relevant laws and regulations.
- If the Company revises the Terms and Conditions, it shall be announced on the website at least one week before the application date.
- If the company announces the amendment of the Terms and Condition accordance with the preceding paragraph and receives a vulnerability report after the date of application, the participant shall be deemed to have agreed to the amended terms and conditions.
- If the participant does not agree to the application of the amended Terms and Conditions, the company cannot apply the changed terms and conditions, and in this case, the participant will not be able to participate in the program.
- Article 15 (Language and Time Zone)
- In case of any discrepancy between the Korean and English versions of these Terms and Conditions, the Korean version shall prevail.
- The date and time used in connection with the program is based on the date and time of Korea (GMT+9) unless otherwise specified.
- Article 16 (Governing Law and Jurisdiction)
- The company hopes there will be no dispute. However, if a dispute arises, the participant and the company agree to settle it informally for 60 days.
- Litigation filed between the company and the participant shall be governed by the laws of the Republic of Korea, and the competent court of litigation concerning disputes between the company and the participant shall be determined in accordance with the Civil Procedure Act.
- Notwithstanding the preceding paragraph, the Seoul Central District Court of the Republic of Korea shall be the competent court for participants whose domicile or residence is located overseas.
- Article 17 (Program Inquiries)
All inquiries regarding the Program are received at
email@example.com and no other inquiries are accepted.
Revision and Application Date : 2022-08-03