IMPORTANT - READ BEFORE USING THE SITE OR SERVICES FOR RUNNING A SECURITY PROGRAM.
Security Program Time Period
The Security Program initiates when it is listed on the Site and Services and has the status Live.
The Security Program will run until a written deadline agreed between You and Cobalt. This deadline will be listed on the Security Program.
Security Pentesters can only engage in testing on programs that are in status Live and the Security Pentesters have been invited to. When a program is past the test deadline, Security Pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by You.
The date on which your test will start may depend on the Tier associated with your account. Each Tier permits test start dates within a defined minimum advance notice, measured in Business Days (“Minimum Notice Period”). For purposes of calculating the applicable period associated with your Tier, a “Business Day” falls within Cobalt Business Hours and excludes holidays and weekends, provided that a test must be assigned a test to “Planned” prior to 11 AM Pacific Standard Time of the first day of the Minimum Notice Period. “Cobalt Business Hours” are: for customers in EMEA, 8 AM - 5 PM Central European Standard Time; for customers in the Americas, 8 AM Eastern Time- 5 PM Pacific Time. Cobalt’s commitment to initiate a test within a certain period only begins when a test is listed as “Planned” and a start date is selected. Services must be scheduled to be completed within the applicable annualized period of the Order Term. When Services that are scheduled to begin within thirty (30) days of the expiration of the one-year period associated with the applicable Credit(s), test coverage may be reduced and retesting may be precluded due to time and resource constraints.
Third Party Integrations
Services may be configured to facilitate integration with certain third party software products or services leveraged by Cobalt Yous. The availability of such integrations is dependent on the specific Tier assigned to a Customer.
Notwithstanding the foregoing, Cobalt reserves the right to deprecate any particular third party integration at its discretion.
By accessing or using Cobalt’s third party integrations, Customerrepresents and warrants that it has obtained all necessary licenses, credentials, or other rights to facilitate Customer leveraging such third-party integrations.
Cobalt hereby disclaims any and all obligations relative to such third party’s privacy or security posture.
Customer uses such third party integrations at its own risk. Cobalt does not make any warranty for and shall not be held liable or accept any liability, obligation, or responsibility for any loss or damage in connection with any third party integration. Cobalt has no control over such third parties and we are not responsible for the content of their services. Cobalt provides You with third party integrations only for Your convenience.
Cobalt may offer retesting of vulnerabilities, depending on the Tier you purchased, as further described in Cobalt’s Tiers FAQ. Retesting consists of Cobalt Pentesters re-engaging via the same or similar methodologies in testing of specified vulnerabilities that were originally identified in a Cobalt Vulnerability Report. Retesting is applicable only to those vulnerabilities that you have taken steps to remediate and the intent of retesting is to validate the efficacy of your remediation efforts. Timing for retesting is at Cobalt's sole discretion. Customer cooperation with Cobalt operational requests (including without limitation, providing access to credentials and environments) is a condition to Cobalt’s retesting obligations. Cobalt Customers must request a retest by at least ten (10) days prior to the expiration of their Services term (unless Customer has executed a renewal). Retesting is subject to all terms and conditions otherwise applicable to the provision of Services by Cobalt.
Security Program Responsibilities and Liabilities
- You agree that you authorize Cobalt to list your program on the Site and Services.
- You agree that you authorize invited Security Pentesters to perform tests on the Application(s)/Network(s) mentioned in scope in the Security Program.
- You agree to take the full liability and responsibility, and release Cobalt from any liability, if anyone who is not a Security Pentester, or other non-Cobalt personnel, is engaged in testing of the Security Program.
- You agree that the scope, rules and all other information on the Security Program is the entire scope, rules and information which you expect the Security Pentesters to follow if engaging in activities related to your Security Program.
- You agree that Cobalt only provides a best practice set of rules as an example and that you as a User are fully responsible and liable for the coverage of the scope and the rules written in the Security Program.
- You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related third parties who potentially will be impacted by the activities related to the Security Program. This includes but is not limited to hosting providers.
- You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that Cobalt will store these Vulnerability Reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to You, the Security Pentesters participating in the Program and Authorized staff at Cobalt.
- In the event your program has responsible disclosure you agree that you are responsible for informing the Security Pentesters on when he/she can disclose a given vulnerability to the public.
You agree and acknowledge that the personal data you provide to us may be processed for the purpose of providing our services to you. Each Party shall maintain appropriate technical and organizational safeguards for protection of the associated personal data that is collected and/or processed through your use of the Services.
Any false information provided within the context of the Security Program by Customer concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate termination of the Security Program.
Cobalt recommends that you obtain appropriate insurance and backup for your Application(s)/Network(s) and its content. Please review any insurance policy that you may have for your Application(s)/Network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.
Complete Agreement and Order of Precedence
All of the terms set forth in the General Terms, or another master agreement entered into between You and Cobalt, shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms, or other master agreement terms, and these Supplemental Terms, the Supplemental Terms shall apply.