IMPORTANT - READ BEFORE USING THE SITE OR SERVICES FOR RUNNING A SECURITY PROGRAM.
BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR RUNNING A SECURITY PROGRAM, YOU (OR “CUSTOMER”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“AGREEMENT” or “GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO RUN A SECURITY PROGRAM AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY PENTESTER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE OR SERVICE TO RUN A SECURITY PROGRAM.
To submit a Security Program, you must either be must be the owner of the Application(s)/Network(s) you list as in scope of the test or have obtained all necessary legal permissions and licenses from the owner to list them and have them tested. You also need to ensure that you have obtained all necessary legal permissions and licenses from any third party service providers applicable to the scope that may be tested pursuant to the terms and conditions of an agreement with such third party, including, but not limited to, a hosting agreement. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including the cost of the activities and that you have the authority to bind such entity to these Supplemental Terms. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.
Security Program Time Period
The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.
The Security Program will run until a written deadline agreed between You and Cobalt. This deadline will be listed on the Security Program.
It is important to note that
- Security Pentesters can only engage in testing on programs that are in status Live and the Security Pentesters have been invited to.
- When a program is past the test deadline, Security Pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by You.
The date on which your test will start may depend on the Tier associated with your account. Each Tier permits test start dates within a defined minimum advance notice, measured in days. For purposes of calculating the applicable period associated with your Tier, a “day” is equal to 24 hours excluding holidays and weekends, falling within Cobalt business hours. Cobalt business hours are: for Customers in EMEA, 8 AM - 5 PM Central European Standard Time; for Customers in the Americas, 8 AM - 5 PM Pacific Standard Time. A Customer must first have their test assigned to “Planned” state within the Cobalt platform in order to select a start date, such that Cobalt’s commitment to initiate a testing within a certain period only begins when a test is listed as “Planned” and a start date is selected. In all circumstances, a start date for Services must be scheduled to be completed before the expiration of the one-year period associated with the applicable Credit(s). When Services that are scheduled to begin within fourteen days of the expiration of the one-year period associated with the applicable Credit(s), test coverage may be reduced and retesting may be precluded due to time and resource constraints.
Third Party Integrations
Services may be configured to facilitate integration with certain third party software products or services leveraged by Cobalt Yous. The availability of such integrations is dependent on the specific Tier assigned to a Customer.
While Cobalt is constantly investigating new opportunities of third party integrations, a current list of third party integrations can be found on the Tiers FAQ. Notwithstanding the foregoing, Cobalt reserves the right to deprecate any particular third party integration at its discretion.
By accessing or using Cobalt’s third party integrations, Customer (i) agrees to all applicable terms in this Agreement as well as the specific integration terms applicable to the software or solution to which such integration applies, and (ii) represents and warrants that it has obtained all necessary licenses, credentials, or other rights to facilitate Cobalt’s access to and integration with such software or solution.
If there is a conflict between the integration terms in this Agreement and the specific integration terms of a third party integration, the specific integration terms will control for that conflict.
Before using any of the Cobalt third party integrations, Customer is encouraged to (i) review the terms and conditions of the relevant third party provider (“Third Party Terms”) and (ii) review personal and technical security of the third party integration. Cobalt’s provision of third party integrations relies on Customer having conducted the review in accordance with this section and Cobalt hereby disclaims any and all obligations relative to such third party’s privacy or security posture.
By utilizing any of the third party integrations supported by Cobalt, Customer acknowledges that (i) Cobalt has no control over the service or product that is integrated, (ii) Customer has read and understand the terms of the relevant third party providing the integration, (iii) Customer consents that Cobalt shall transfer the data collected as a result of providing Customer with the Services to the third party, (iv) Customer uses the third party integration at its own risk.
Cobalt shall not be held liable and shall not accept any liability, obligation, or responsibility for any loss or damage in connection with any third party integration. Cobalt has no control over such third parties and we are not responsible for the content of their services. Cobalt provides Yous with third party integrations only for our Yous’ convenience. This does not imply any endorsement or association with such third parties. Any concern regarding the third party services should be directed to the responsible third party.
Customer agrees to release, indemnify, and hold Cobalt and its affiliates and subsidiaries, and their officers, directors, employees and agents, harmless from and against any third party claims, liabilities, damages, losses, and expenses, including, without limitation, reasonable legal and accounting fees, arising out of or in any way connected with (i) Customer’s misuse of third party integrations or (ii) violations of the Third Party Terms.
By using any third party integration, Customer acknowledges that Cobalt does not warrant that the use of the third party integration will be uninterrupted or error free. Customer accepts and understands this risk and waives all rights to hold Cobalt responsible in any qya, financially or otherwise, for such errors and results.
By using any third party integration, Customer acknowledges that Cobalt does not make any specific promises about the third party integrations. For example, Cobalt does not make any commitments about the content of third party integrations, their specific functions and reliability, availability, or the ability to meet Customer’s needs.
Cobalt shall retain all rights ( (including but not limited to all patent rights, trademark rights, copyright, trade secrets and any other intellectual property rights) that Cobalt has or may have in connection with the third party integrations.
Any use of the Cobalt API is subject to the terms and specifications found at https://docs.cobalt.io.
Cobalt may offer retesting of vulnerabilities, depending on the Tier you purchased. Please see the Tiers FAQ to determine whether you qualify for retesting. Retesting consists of Cobalt Pentesters re-engaging via the same or similar methodologies in testing of specified vulnerabilities that were originally identified in a Cobalt Vulnerability Report. Retesting is applicable only to those vulnerabilities that you have taken steps to remediate and the intent of retesting is to validate the efficacy of your remediation efforts. Timing for retesting is at Cobalt’s sole discretion. Only Cobalt Yous with active subscriptions at the time a retest is requested are eligible for retesting. Retesting is subject to all terms and conditions otherwise applicable to the provision of Services by Cobalt.
Security Program Responsibilities and Liabilities
- You agree that (i) your creation of the Security Program will not breach any agreements you have entered into with any third parties, (ii) you have all of the necessary right, title and interest to grant the license rights provided by you pursuant to the General Terms and Supplemental Terms, and (iii) you are and will remain in compliance with all Applicable Laws, Tax requirements, and rules and regulations.
- You agree that you authorize Cobalt to list your program on the Site and Services.
- You agree that you authorize invited Security Pentesters to perform tests on the Application(s)/Network(s) mentioned in scope in the Security Program.
- You agree to take the full liability and responsibility if you invite pentesters who are not Security Pentesters to see your Security Program and/or Engage in testing of the scope of the Security Program.
- You agree that the scope, rules and all other information on the Security Program combined with our Supplemental Terms for Engaging in Testing is the entire scope, rules and information which you expect the Security Pentesters to follow if engaging in activities related to your Security Program.
- You agree that Cobalt only provides a best practice set of rules as an example and that you as a User are fully responsible and liable for the coverage of the scope and the rules written in the Security Program.
- You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related third parties who potentially will be impacted by the activities related to the Security Program. This includes but is not limited to hosting providers.
- You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that Cobalt will store these Vulnerability Reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to You, , the Security Pentesters participating in the Program and Authorized staff at Cobalt.
- In the event your program has responsible disclosure you agree that you are responsible for informing the Security Pentesters on when he/she can disclose a given vulnerability to the public.
- As Aligned with the General terms Limitation of Liability section You understand and agree that the nature of penetration testing may cause harm or disruption to Application and/or networks and that neither Cobalt and that neither Cobalt nor the Security Pentesters shall have any liability of any kind arising out of such testing activities unless the Security Pentester has committed gross negligence or committed willful misconduct in performance of such testing.
Intellectual Property Rights
See the General Terms for information around Ownership and License grants.
For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:
- the data controller is Cobalt and the data processor is Cobalt
- your data is collected for purposes of administration of the promotion and for marketing purposes
- you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at email@example.com
- your personal data will be transferred to the U.S.
Warranty and Indemnification
You represent and warrant that you own or have all necessary right, title and interest in the Application(s)/Network(s) in scope for the Security Program and that the Security Program material and Application(s)/Network(s) submitted by you or on your behalf do not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations, defame any person or violate their rights of publicity or privacy or otherwise violate any Applicable Law.
To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorney’s fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your negligence or willful misconduct; (iv) your breach of your representations and warranties set forth in the Terms or; (v) your violation of Applicable Law; (vi) any misrepresentation made by you in connection with the Site and Services; (vii) any error made by you in the collection, processing, or retention of submission information or in the printing, offering or announcement of any reward or winners; and (viii) your breach, default or violation of the General Terms, Supplemental Terms or Security Program (collectively as “Indemnified Claims”). You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party arising out or relating to the Indemnified Claims.
Any false information provided within the context of the Security Program by your concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate elimination of the Security Program.
Cobalt does not give a guarantee against any malfunction of the entire Security Program Site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Vulnerability Report submissions due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit the period a program is listed on the Site.
Cobalt recommends that you obtain appropriate insurance and backup for your Application(s)/Network(s) and its content. Please review any insurance policy that you may have for your Application(s)/Network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.
Complete Agreement and Order of Precedence
All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.