Responsible Disclosure Policy
Date: December 30, 2019
New Leaf Community Markets, LLC, (“New Leaf” “us”, “we” or “our”) considers the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
This New Leaf Community Markets Responsible Disclosure Policy (“Terms”) governs your participation in the New Leaf Community Markets Responsible Disclosure program (the “Program”). These Terms are a binding agreement between you and New Leaf Community Markets.
The Program enables users to submit vulnerabilities and exploitation techniques (“Vulnerabilities”) to New Leaf Community Markets concerning our website located at https://www.newleaf.com/ (“Website”) for a chance to earn rewards in an amount determined by New Leaf Community Markets in its sole discretion (“Bounty”). By submitting any vulnerabilities to New Leaf Community Markets or otherwise participating in the Program in any manner, you accept these Terms.
Changes to These Terms
New Leaf Community Markets may change or cancel this Program at any time, for any or no reason. We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the new Terms, you must not participate in the Program. If you wish to opt-out of the Program and not be considered for Bounties, contact us at email@example.com.
You may participate in the Program only if you meet all of the following criteria:
you are 14 years of age or older; and, if you are at least 14 years old but are considered a minor in your place of residence, you have obtained your parent’s or legal guardian’s permission prior to participating in this Program;
you are either an individual participating in your own individual capacity, or you work for an organization that permits you to participate in the Program;
you are not a resident of any country under U.S. sanctions and are not otherwise prohibited by applicable from participating in the Program;
you are not currently (and have not been in the twelve (12) months prior to providing your Submission to us) an employee of New Leaf Community Markets or any affiliate of New Leaf Community Markets, or an immediate family member (parent, sibling, spouse, or child) or household member of any such employee; and,
you are not currently performing (and have not within the twelve (12) months prior to providing your Submission to us performed) services for New Leaf Community Markets or any affiliate of New Leaf Community Markets as a temporary worker, vendor employee, business guest, or contractor.
If you discover a Vulnerability, you may email your findings to firstname.lastname@example.org. Each Vulnerability submitted to New Leaf Community Markets will be considered a “Submission.” Please include the following information in the email:
- Your name and contact information;
- Organization (if applicable);
- New Leaf Community Markets products/solutions and versions affected;
- A detailed description of the potential vulnerability;
- Supporting technical details, including descriptions or examples of exploit/attack code, packet captures, and steps to reproduce the issue;
- Any known information about live exploits; and,
- Your desire for public recognition.
If you do not receive a confirmation email within ten (10) business days after making your Submission, you may notify us to ensure your Submission was received.
New Leaf Community Markets will not claim any ownership rights in your Submission. However, by providing any Submission to us, you hereby grant us a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: to use, review, assess, test, and otherwise analyze your Submission; and to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part.
We endeavor to address each Vulnerability Submission in a timely manner. While we are doing that we require that Submissions remain confidential and cannot be disclosed to any third parties, including as part of paper reviews or conference submissions. You can make available high-level descriptions of the Vulnerability after it is fixed. We will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to Vulnerability being fixed and payment should not be taken as notification of fix completion. Violations of these provisions could require you to return any Bounties paid for that vulnerability and disqualify you from participating in the Program in the future.
Submission Review Process
After a Submission is sent to us in accordance with these Terms we will review the Submission. The review time will vary depending on the complexity and completeness of your Submission, as well as the number of Submissions we receive.
If the Vulnerability is not yet known to us, we will determine a Bounty amount based on the severity of the Vulnerability and the quality of the Submission. If we have determined that your Submission is eligible for a Bounty, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. If you are eligible for this Program but are considered a minor in your place of residence, we may award the Bounty to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf. If you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and, if you accept a Bounty, you (or your parent/legal guardian as applicable) will be solely responsible for all applicable taxes related to accepting the Bounty payment(s).
We retain sole discretion in determining the amount of any Bounty. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. The decisions made by New Leaf Community Markets regarding Bounties are final and binding.
We may also publicly recognize individuals who have been awarded Bounties, unless you explicitly ask us not to include your name.
Code of Conduct
By participating in the Program, you will not:
- do anything illegal;
- take advantage of the Vulnerability, for example by downloading more data than necessary to demonstrate the Vulnerability or deleting or modifying other people’s data;
- engage in activities that does damage or has the potential to damage our systems (this includes any activity that has an impact to the availability of our systems, including the use of vulnerability scanning tools);
- use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties;
- engage in any activity that exploits, harms, or threatens to harm any individual;
- engage in any activity that is false or misleading.
- engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, or advocating violence against others).
- help others break these rules.
If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.
Limitation of Liability, Disputes
If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from New Leaf Community Markets or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can’t recover any other damages or losses, including lost profits or revenue, or any consequential, special, indirect, incidental, or punitive damages. These limitations and exclusions apply even if this remedy doesn’t fully compensate you for any losses or fails of its essential purpose, even if we knew or should have known about the possibility of such damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.