The Bugbounty Platform in the Sultanate of Oman provides its online services as a testing service to scan security vulnerabilities for organizations through the platform, prepare reports to detect their own vulnerabilities on the Internet, and access a community of independent security researchers in the field of cybersecurity (“Security Researchers”).

Whereas this Customer Master Agreement sets forth the terms that the Bugbounty Platform must provide to the customer identified in the order form, other quotation, order document or other purchase order that references this Agreement and for such Services and Software, and is effective as of the date listed on Application form.

By executing an order hereof, the person executing the order agrees to this Agreement on behalf of Customer and acknowledges that he or she has been authorized to represent such Customer in this Agreement. It is hereby acknowledged that continued use of the Hosted Service (as defined below) constitutes acceptance of this Agreement.

Therefore, the following was agreed upon:

1. Definition

Capitalized terms will have the meaning set forth in this Section 1 below or as defined in this Agreement.

1.1. “Reward” means the Testing Services (as defined in Section 1.7 below) for the particular Program described in the Program Summary.

1.2. “Security Build Program” means the Bugbounty Platform Program, Vulnerability Discovery Program, Next Generation Penetration Testing Program or any annual on-demand program or annual program offered by the Vulnerability Hunter Reward Platform as described in an order submitted under Section 2.1. Security Researchers who participate in each Collective Security Program will be subject to the then-current Standard Disclosure Terms available at https://bugbounty.om/Home/NDAProgram as amended or supplemented by additional terms in the applicable Program Brief.

1.3. “Customer Data” means all products, technical support, and other information related to Customer’s business, as provided for, generated by, or obtained by the Bugbounty Platform during the term of this Agreement.

1.4. “Hosted Service” requested by Customer pursuant to the Order and any other software, End User Documentation and any information (other than Test Results) made available to Customer by the Bugbounty Platform in connection with the performance of the Testing Services, including any and all updates thereto.

1.5. “Program Brief” means a description of each Collective Security Program provided to Security Researchers

1.6. “Security Researchers” are independent contractors with the Bugbounty Platform equivalent platform who perform testing services, and refer to two distinct groups of program participants:

· Group A, who are independent contractors for Bugbounty platform who conduct vulnerability testing and who have undergone Bugbounty Platform surveys are the only security researchers invited to participate privately.

· Group B is the general population, who have access to any public software promoted by the Bugbounty Platform.

1.7. “Services” means the services to be performed by the Bugbounty Platform under this Agreement and the Testing Services as agreed upon within the scope of the Services contained in the Order. “Testing Services” means the services performed by Security Researchers and includes, without limitation, Vulnerability Testing Services and Penetration Testing Services. The following is implemented by security researchers in accordance with the collective security programs requested by the client.

1.8. “Target Systems” are the applications and systems that are subject to the Testing Services.

1.9. “Test Results” means information about vulnerabilities discovered on target systems that are submitted to the Hosted Service as part of the testing services for a vulnerability scanning report, including but not limited to vulnerabilities identified by security researchers and submitted to the Hosted Service, vulnerability confirmation and evaluation. Eligibility for Rewards by the Bugbounty Platform and any additional materials provided by the Bounty Hunter Platform as specified in the applicable Order, except expressly.

· Any basic templates included in the test results of the vulnerability scanning report by the equivalent Vulnerability Hunter platform.

· Metadata related to test results (i.e. reports, sub-state information and comments available to the customer in hosted services)

· Indeterminate test results. “De-identified Test Results” means Test Results that have been anonymized and are not identifiable to the Customer or any individual and are presented in such a manner that the identity of the Customer or any individual may not be derived from them.

1.10. “Term”: The term of the Agreement begins on the Effective Date and continues until terminated by either party in accordance with the terms of this Agreement.

1.11. “Applicable law”: is the legislation, royal decrees, regulations, regulations and ministerial decisions issued in the Sultanate of Oman.

2. Conditions of participation

2.1. Providing hosting services

Bugbounty Platform will make the Services available in a hosted environment for Customer to use in accordance with this Agreement and applicable Orders during the Term. Additionally, Bugbounty will maintain a security program designed to maintain the security and integrity of the Hosting Service and test results in accordance with current industry standards and use commercially reasonable efforts to make the Hosting Service available 24 hours a day, 7 days a week.

Except for (i) scheduled maintenance (which Bugbounty Platform provides reasonable advance notice via the Hosting Service); and (ii) downtime caused by a Force Majeure Event (subject to Section 11) or other circumstances beyond Bugbounty Platform's reasonable control. Customers may use the Hosted Services for the sole purpose of receiving the Testing Services specified in the applicable Order, and subject to the limitations set forth in Section.

2.2. Restrictions

1. Customer may not sell, resell, rent, transfer, assign, reproduce, distribute, host or commercially exploit any portion of the Hosted Service or use the Hosted Service for the benefit of any third party.

2. Modify, translate, adapt, merge, make derivative works of, disassemble, decompile, reverse compile or reverse engineer the Hosted Service, or otherwise attempt to discover the source code of the underlying software of the Hosted Service, except to the extent prohibited by the above restrictions. expressly under applicable law.

3. Circumvent or disable any digital rights management, usage rules or other security features of the Hosted Service, or attempt to gain unauthorized access to, disrupt the integrity or performance of the Hosted Service or the data contained therein.

4. Access or use the Hosted Service in order to create a similar or competitive website, application, or service.

5. Copy, reproduce, distribute, republish, download, display, post or transmit in any form or by any means any part of the Hosted Service.

6. Remove or destroy any copyright or other proprietary notices contained in or in the Hosted Service. The Customer must use the Hosted Service only in accordance with applicable laws. Customer is responsible for all activities that occur under its logins on the Hosted Service, and for its compliance with this Agreement. The Customer is responsible for the security of all passwords and other access protocols required to access the Hosted Service. Customer must notify Bugbounty immediately if Customer's passwords or access protocols are lost, stolen, disclosed to an unauthorized third party, or otherwise compromised.

2.3. The Order

All Rewards Sourced Security Software ordered by Customer during the Term will be described in a Bugbounty Platform quote or similar purchase order from Customer (each an “Order”), which will become effective.

1. When signed by both parties.

2. Upon the issuance of a Customer purchase order that references a Bugbounty Platform order (it is understood that the Customer’s issuance of such purchase order constitutes Customer’s acceptance of the terms of the order). Each Bounty Source Security Program will begin on a mutually agreed upon date between the Bugbounty Platform and Customer (“Start Date”). All orders placed on an annual basis will automatically renew for additional periods throughout the year at then-current prices unless otherwise stated in the order or unless either party notifies the other of its intention to terminate the order within sixty (60) days prior to the end of the year terms. Present.

3. All other orders (meaning on-demand orders or other orders not placed on an annual basis) will expire upon completion of the Security Program or upon termination or expiration of the Security Program in accordance with this Agreement .

2.4. Perform testing services for vulnerability scanning.

Once an order has been fulfilled, Customer's Bugbounty Platform will designate a point of contact to assist in the success of Bugbounty's Security Programs ("Platform Point of Contact"), and Customer will designate for Bugbounty’s Platform a point of contact to facilitate the Platform's operation of Customer's security programs and its relationship with the Platform ("Customer Point of Contact." ").

The Bugbounty Equivalent Platform Contact and Customer Contact Point will prepare a mutually agreed program summary for all security programs for the group. The Bugbounty platform will report collective security software, including software summaries, to security researchers so they can perform testing services. Security Researchers will report vulnerabilities to a Bugbounty equivalent platform through the Hosted Service, and Customer may access the information reported through the Hosted Service for the duration of the applicable group security program.

The Bugbounty Platform makes the software feed(s) available to appropriate security researchers, reviews the vulnerability information provided by the security researchers to verify the reported vulnerabilities, confirms whether the reported vulnerabilities fall within the scope of the software feed, and provides the customer with instructions to reproduce them. Validated vulnerabilities and evaluate whether a bounty payment is due on any validated vulnerabilities in accordance with the terms of the applicable program brief. Testing Services must be used within the period set forth in the applicable order or be forfeited .

2.5. Client authorization

Customer authorizes the Bugbounty to access and use the Target Systems, and its employee and security researcher to access and use the Target Systems, only as required for the purpose of performing vulnerability testing services during the applicable Order Term, which may include defeating or attempting to defeat existing network security mechanisms. and software, infrastructure, hardware and software firewalls, virtual private networks, hardware and software IDS/IPS, and software systems designed to prevent system compromise, which may include accidental access to data stored within target systems. This data is considered confidential information of the Customer, and the Bugbounty Platform will not disclose to any third party or use this data for any purposes other than reporting and validating vulnerabilities in the performance of the testing services below.

Customer agrees that any terms of use agreement, documents or similar terms (whether in hard copy, electronic, web-based or other form and whether existing before or after the date of this Agreement), contained in or with the Target Systems, or may be accepted Required in order to access Target Systems, it will be superseded by this Agreement to the extent of any conflict or inconsistency with the terms of this Agreement, regardless of whether this Agreement is “signed” or otherwise agreed to by the Bugbounty, its employees, or any security researcher. In connection with the performance of the testing services below. Customer represents and warrants that it has the right to grant the licenses specified in this Section 2.5 in accordance with all applicable laws .

2.6. Pay rewards to security researchers.

Bugbounty will periodically provide Customer with Hosted Service reports outlining Bugbounty's recommendation of appropriate bounty payments to Security Researchers consistent with the applicable Program Summary (each a “Report”). Unless otherwise specified in an applicable order, Bugbounty will notify Customer electronically through the Hosted Service when a report is available for review by Customer. Upon notification of the availability of each report,

Customer will have five (5) business days to review and approve or reject these recommendations (“Approval Period”).

Customer may reasonably reject a Bugbounty platform's recommendation if the applicable test results are outside the scope of the security program, or if Vulnerability Reproduction Instructions provided by the Bugbounty Platform are insufficient to reproduce the vulnerabilities provided by the appropriate security researcher.

If, during the Consent Period, Customer rejects Bounty Hunter's recommendation based on one of the rules set forth above, Customer must provide Bugbounty with written notice (“Customer Notice”), which must include the reasons for such rejection, and Bugobunty will Vulnerabilities Promptly issue and submit a revised report, which is deemed approved by the Bugbounty unless rejected by the customer as above.

Customer's failure to provide Customer notice within the Approval Period will be deemed to have accepted the Bugbounty Rewards Platform's recommendations in the applicable report. Upon approval or resident approval of a Bugbounty Platform's recommendation, the Bugbounty Platform will pay the approved bounty to the relevant security researcher. All remuneration paid to Security Researchers shall be made solely in connection with the Collective Security Program.

3. Independent contractor relationship

The Bugbounty platform uses its technology to connect a client, whether a government company or a private company, with security researchers. However, Bugbounty does not control or supervise security researchers, and security researchers are not employees of Bugbounty. The customer acknowledges and agrees that the Security Researcher's relationship with the Bugbounty Reward Platform is that of an independent contractor. Nothing in this Agreement is intended or should be construed as creating a partnership, joint venture, or employer-employee relationship between Security Researchers or between Customer and any of BugBounty’s employees, agents or contractors. Security Researchers are not agents of Bugbounty and are not authorized to act on behalf of Bugbounty.

4. Fees

Customer must pay the Bugbounty Platform fee for each Security Software to the Suite as specified in the applicable Order (“Fees”) within thirty (30) days of receipt of invoice.

Unless the order states otherwise, all fees will be invoiced when the order is executed. Fees exclude all taxes, fines, discounts and fees related to the Services. Any late payments are subject to an interest penalty equal to 1.5% per month of the amount due plus the actual costs of collection.

In the event that the Customer's account is outdated for more than thirty (30) days for any reason, the Bugbounty Platform has the right to suspend the Services and the Customer's use of the Hosted Service without further notice to the Customer, until the Customer pays the full balance due, in addition to any fine due. Customer agrees that if a price discount is indicated on any order, Customer will engage in joint marketing activities with Bugbounty Platform (customer case study, press release, blog, social posting or other marketing communication that demonstrates the company's success with Bugbounty Platform vulnerabilities, in a form and language agreed upon by both parties, and Customer grants Bugbounty the right of reference to Customer and a license to use Customer's logo in connection therewith).

5. Confidentiality

“Confidential Information” means any information that is marked or identified as confidential at the time of its disclosure, is deemed confidential after its disclosure, or which a reasonable natural person would consider confidential based on the circumstances and content of the disclosure, and which is disclosed under this Agreement. Confidential information does not include information that:

1. It is or becomes known to the receiving party from a source other than the source bound by confidentiality to the disclosing party;

2. becomes publicly known or is no longer confidential, without breach of this Agreement.

3. was independently developed by the receiving party.

Customer data is considered confidential information of the customer. Test Results are confidential information of both parties and nothing in this Agreement shall be deemed to limit or restrict Customer's rights in or to the Test Results, except that neither party may disclose Test Results to a third party without the express written consent of the other party. The following information is considered confidential information of the Bugbounty platform: documents and prices stated in the application.

Information regarding the identity of security researchers; and metadata related to test results. Except as required to fulfill the purpose of this Agreement,

Each Recipient Party agrees not to use the other Party's Confidential Information and to prevent disclosure of the other Party's Confidential Information to any third party for a period of three (3) years after the date of disclosure or, in the case of Customer Data, until such time as the Customer Data is no longer confidential. The Receiving Party may disclose Confidential Information if requested to do so by a governmental entity or in accordance with applicable law, provided that the disclosing Party provides reasonable advance written notice of such disclosure. Except as specifically set forth above, this Agreement does not transfer to either party any Confidential Information and all right, title, interest and ownership in and to the Confidential Information will remain with the disclosing party .

6. Ownership

6.1. Property

As between Bugbounty and Customer, Bugbounty retains all right, title and interest in and to the Hosted Service, and all modifications and improvements thereto, including all related intellectual property rights. No rights are granted to the Customer other than as expressly set forth in this Agreement. Subject to the rights expressly granted to Bugbounty and Security Researchers in this Agreement or the applicable Software Summary, Customer retains all right, title and interest in and to the Target Systems, and all modifications and improvements thereto, including all related intellectual property rights.

No rights are granted to the Bugbounty Platform other than as expressly set forth in this Agreement or the applicable Program Brief. Bugbounty Rewards Platform shall limit its use, disclosure and reproduction of Test Results to the use, disclosure and reproduction of Test Results reasonably required to perform the Testing Services and make the Test Results available to Customer through the Hosted Service. Customer shall limit its use, disclosure, and reproduction of Test Results solely for its internal business purposes in connection with the Bugbounty Platform security software.

Customer agrees that nothing in this Agreement shall be deemed to limit or restrict Bugbounty’s rights in or to unspecified results. The Bugbounty Platform shall have a non-exclusive, perpetual, irrevocable, worldwide, transferable, sublicensable, and fully paid right to reproduce, create derivative works of, distribute, publicly perform, publicly display, digitally transmit, and otherwise use the unidentified results and derivative works thereof for any purpose. The Bugbounty Platform shall have a royalty-free, worldwide, transferable, sublicensable, irrevocable, perpetual license to use or incorporate any suggestions, ideas, improvement requests, comments, recommendations or other information provided by Customer or its Users. Approved regarding the features, functionality or operation of the Hosted Services or Testing Services (“Suggestions”). For clarity, Suggestions must not include any test results and Bugbounty does not grant rights under any patents or copyrights to Customer, and Bounty Hunter's use of Suggestions will not identify Customer or any Authorized Users as the source of such Suggestions.

6.2. Intellectual property rights

“Intellectual Property Rights” means, globally, all patents (including originals, subdivisions, continuations, continuations in part, extensions, foreign applications, utility models, and reissues), patent applications, and copyrights (including (including all registrations and applications therefor), trade secrets, service marks, trademarks, trade names, trade dress, trademark applications, and other proprietary and intellectual property rights, including moral rights .

7. Bugbounty Platform Representations and Warranties

7.1. General: Bugbounty makes the following representations, warranties and representations:

1. You will make reasonable efforts to ensure that the Services are performed in a professional and efficient manner consistent with current technology standards.

2. has the full right and authority to enter into and perform this Agreement;

3. It will comply with all laws applicable to the Bugbounty Platform under this Agreement.

Bugbounty does not guarantee that the Testing Services will identify all vulnerabilities or that the results of the Hosted Service and Testing Services will ensure the security of Customer's applications or systems. Bounty Hunter does not guarantee that the Hosted Service will operate error-free or without interruption .

8. Compensation

If the Hosted Service becomes, or in Bugbounty’s opinion is likely to become, the subject of an infringement claim, Bugbounty may, at its option and expense, either.

1. Obtaining the customer’s right to continue using the hosted service,

2. Replace or modify the Hosted Service so that it becomes non-infringing,

3. Terminating the agreement and enabling the customer to refund any prepaid service and unused fees.

Notwithstanding the foregoing, Bugbounty will have no obligation under this Section or otherwise with respect to any infringement claim based upon

1. Any use of the Hosted Service that does not comply with this Agreement.

2. Any use of the Hosted Service with products, hardware, software or data not provided by the Equivalent Bugbounty Platform.

3. Any modification of the hosted service by anyone other than the Bugbounty platform.

This Section sets forth Bugbounty’s entire liability and Customer's sole and exclusive remedy for infringement claims and actions.

Customer will, at its own expense, defend any action against the Bugbounty platform brought by a third party (including government agencies and regulatory authorities) to the extent that the action is based on an allegation that access to the Target Systems and/or data contained in the Target Systems was accessed by Bugbounty Platform or security researchers in performing testing services was not authorized, and Customer will indemnify and hold harmless Bugbounty Platform for those costs and damages finally awarded against Bugbounty Platform in any such action specifically attributable to such claim, Or those costs and damages agreed upon in the settlement of such action signed by the customer.

9. Limitation of liability

EXCEPT FOR THE OBLIGATIONS SET FORTH IN SECTIONS 5 (CONFIDENTIALITY) AND SECTION 8 (INDEMNIFICATION) AND AMOUNTS OWNED BY THE SERVICES, THE MAXIMUM AGGREGATE LIABILITY OF EACH PARTY ARISING OUT OF OR RELATING TO THIS AGREEMENT WILL NOT EXCEED THE TOTAL AMOUNT PAID TO THE SERVICE FOR THE EVENT OR ACTION GIVING RISE TO THE LIABILITY. Neither party will be liable for any lost profits, loss of business, loss of use, loss of data, delay or business interruption, or loss of reputation. for any cost of purchasing substitute goods, software or services; OR FOR ANY INCIDENTAL, INDIRECT, CONSEQUENTIAL OR PUNITIVE DAMAGES; IN EACH CASE ARISING OUT OR RELATING TO THE AGREEMENT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES .

10. Term and Termination

This Agreement shall begin on the Effective Date and will continue until terminated by either party in accordance with the terms of this Agreement. Either party may terminate this Agreement or any Order immediately upon written notice to the other party (“Defaulting Party”) if the defaulting party has materially breached a provision of this Agreement or any Order, and such breach shall remain uncured for a period of thirty (30) days after the defaulting party receives notice of such breach.

10.1. Effects of termination

Upon termination or expiration of this Agreement or the applicable Order, Customer will cease using the Hosted Service. Sections 1 (Definitions), 3 (Independent Contractor Relationship), 4 (Fees), 5 (Confidentiality), 6 (Ownership), 7 (Representations and Warranties), 8 (Indemnification), 9 (Limitation of Liability), and 10.1 (Effects of Termination) and 11 (General Provisions) shall survive any termination or expiration of this Agreement.

11. General provisions

11.1. Any action arising out of or relating to this Agreement shall be governed by the laws of the Sultanate of Oman. The two parties agree to resolve any dispute arising from this agreement amicably. In the event of failure of the amicable settlement, the two parties agree to refer the dispute to the competent courts in the Sultanate of Oman.

11.2. If any provision of this Agreement is held invalid or unenforceable, the other provisions of this Agreement will be unimpaired, and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.

11.3. This Agreement or any rights hereunder may not be assigned by either party without the express prior written consent of the other party. Any attempted assignment in violation of the foregoing will be null and void.

11.4. Neither party will be liable under this Agreement for failure or delay in performance resulting from a force majeure event, except for payment obligations. In the event of a Force Majeure Event, the affected party must make commercially reasonable efforts to resume performance excused by the Force Majeure Event. “Force Majeure Event” means any event beyond the reasonable control of the party affected by such event, which causes a party to delay or fail to perform under this Agreement.

11.5. Customer may not use, export, import or transfer the Hosted Service or Test Results except in strict accordance with all applicable laws.

11.6. In the event of any discrepancy between this Agreement and an Accepted Order, this Agreement will supersede unless the Order expressly modifies the terms of this Agreement with respect to the Bugbounty Platform Security Program described in this Order.

11.7. All waivers must be in writing and signed by the party to be charged. No waiver or failure to enforce any provision of this Agreement on one occasion will be deemed a waiver of any other provision or of such provision on any other occasion.

11.8. This Agreement is the final, complete and exclusive agreement of the parties and supersedes and merges all prior or contemporaneous communications and understandings between the parties.

11.9. Bugbounty Platform may modify or update this Agreement at any time without notice. With the exception of Orders, the terms of any purchase order or similar document submitted by Customer to the Bugbounty Platform shall have no force or effect.