Metaplex Bug Bounty Program Terms and Conditions

Thank you for choosing to be part of our community at Metaplex Foundation, a Cayman Islands not-for-profit company (“Company” or “Metaplex”). Metaplex has established a bounty program to compensate researchers who share with the Company critical issues about Metaplex’s products and services and the techniques used to exploit them, with the goal of resolving confirmed issues as quickly as possible. Metaplex offers public recognition and a bounty payment (“Bug Bounty”) for those who submit valid reports and related software code identifying a security issue or vulnerability with Metaplex’s platform or software (a “Bug”). By clicking “Accept” or submitting any Bug report or code to the Company, you agree to these Metaplex Bug Bounty Program Terms and Conditions (these “Terms and Conditions”). If you are not in agreement with these Terms and Conditions you may not submit Bug reports or software code to the Company.

THESE TERMS AND CONDITIONS CONTAIN A BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER. THEY AFFECT YOUR AND THE COMPANY’S RIGHTS CONCERNING THE RESOLUTION OF ANY DISPUTE BETWEEN YOU AND METAPLEX.

Metaplex reserves the right, at its sole discretion, to change, modify, add or remove portions of these Terms and Conditions at any time, provided that any changes, modifications, additions, or removals will only be applicable to Bug reports or software code submitted after the date of such changes, modifications, additions, or removals. It is your responsibility to check these Terms and Conditions periodically for changes. Your submission of Bug reports or software code following the posting of changes will mean that you accept and agree to the changes.

1. Eligibility

In order to be eligible for a Bug Bounty, the identified security issue must occur on the latest available version of Metaplex’s applicable software or service with its standard configuration. These eligibility rules are meant to protect users until an update is available, ensure that Metaplex can quickly verify reports and create necessary updates, and properly compensate those doing original research. Researchers must:

Be the first party to report the security issue to Metaplex, in accordance with these Terms and Conditions;
Provide a clear report, which includes a working exploit using the STRIDE model;
Not disclose the issue publicly (other than on the specific publicly available Bug reporting tool used by Metaplex for the applicable software or service (e.g., Github), if any) before Metaplex releases the security advisory and update to resolve the issue reported;
Provide other reasonable assistance requested by the Company in order to identify and resolve the issue reported; and
If applicable, provide Metaplex with the applicable software code developed by you relating to such vulnerability.

2. Bounty Categories

Bug Bounty payments are determined by the level of access or execution achieved by the reported issue, modified by the quality of your report and related software code. A maximum amount is set for each security tier set forth at the following link. The exact payment amounts are determined after review by the Company. All Bug Bounty payments, and the amounts thereof, are at the Company’s sole discretion.

The following issues with Metaplex software are outside the scope of these Terms and Conditions and reports flagging these issues will not result in a Bug Bounty payment:

Social engineering;
Rate limiting;
Physical security;
Non-security-impacting UX issues;
Distributed denial of service or other volumetric attacks;
Deprecated Open Source libraries;
Vulnerabilities or weaknesses in third party applications that integrate with Metaplex.

3. Report and Payout Guidelines

The goal of the Bug Bounty program is to protect users through understanding both vulnerabilities and their exploitation techniques. Reports lacking necessary information to enable Metaplex to efficiently reproduce the issue will result in a significantly reduced Bug Bounty payout, if accepted at all. A complete report includes: (1) a detailed description of the issues being reported; (2) any prerequisites and steps to get the system to an impacted state; (3) a reasonably reliable exploit for the issue being reported; and (4) enough information for the Company to be able to reasonably reproduce the issue. Maximum payout is more likely if the reported issue is unique to newly added features or code in Metaplex’s software, impacts sensitive components, or is otherwise novel. At Metaplex’s option, Bug Bounty payments may be made in U.S. dollars, Meta tokens, SOL tokens, or USD Coin. Any payments made in Meta tokens, SOL tokens, or USD Coin will have a then current market value equal to the dollar amounts set forth in these Terms and Conditions. Payments made in Meta tokens or SOL tokens will only be made to individuals or entities who do not reside in the United States. Your receipt of any Bug Bounty payment shall constitute your full and complete acceptance and acknowledgment of the sufficiency of the Bug Bounty payment and shall waive and release any further right to receive additional payment or consideration for your Bug report submission.

4. Prohibited Activities

You must not disrupt, compromise, or otherwise damage data or property owned by other parties. This includes attacking any devices or accounts other than your own (or those for which you have explicit, written permission from their owners), and using phishing or social engineering techniques. You must not disrupt Metaplex services. Immediately stop your research and notify the Company as set forth in these Terms and Conditions before any of the following occur:

You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners);
You disrupt any Metaplex services; or
You access a non-user-facing Company system.

5. Limitation On Bug Bounty Payments

You access any accounts or data other than your own (or those for which you have explicit, written permission from their owners);
You disrupt any Metaplex services; or
You access a non-user-facing Company system.

6. Taxes

You are responsible for the payment of all applicable taxes in connection with receipt of any Bug Bounty payments.

7. Compliance With Laws

You agree to comply with all applicable laws, rules, regulations, and any generally accepted practices or guidelines in the relevant jurisdictions (including any laws regarding the export of data or software to and from the United States or other relevant countries and all applicable privacy and data collection laws and regulations). To the extent required by law, you are solely responsible for obtaining or filing any approval, clearance, registration, permit, or other regulatory authorization and shall comply with the requirements of such authorization.

8. Rights and Licenses

By submitting a report to the Company you grant Metaplex all necessary rights and licenses to use the report and the information contained therein in order to investigate and resolve the identified issue. In addition, if you submit any software code to the Company then you represent and warrant you are the sole author of such code and have the right to provide it to Metaplex, and you irrevocably assign to Metaplex all right, title, and interest in and to such code, including all intellectual property rights of any kind or nature therein.

9. LIMITATION OF LIABILITY

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL METAPLEX OR ITS SUPPLIERS OR LICENSORS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY INDIRECT, INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES, OR FOR LOSS OF USE, LOST PROFITS, OR LOSS OF DATA ARISING OUT OF OR RELATED TO thESE TERMS AND CONDITIONS OR THE BOUNTY PROGRAM, HOWEVER CAUSED AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, STRICT LIABILITY, OR OTHERWISE, EVEN IF METAPLEX OR ITS SUPPLIERS OR LICENSORS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT WILL THE CUMULATIVE LIABILITY OF METAPLEX, ITS SUPPLIERS, AND ITS LICENSORS FOR ANY CLAIMS ARISING OUT OF OR RELATED TO THESE TERMS AND CONDITIONS OR THE BOUNTY PROGRAM EXCEED FIVE HUNDRED DOLLARS ($500). Some jurisdictions do not allow limitations of liability, so the foregoing limitation may not apply to you.

10. Indemnification

You agree to indemnify and hold Metaplex and its affiliates, and their officers, directors, employees, agents, suppliers, and licensors harmless from and against any and all claims, damages, losses, liabilities, costs and expenses (including, but not limited to, court costs and reasonable attorneys’ fees) arising out of or in connection with any breach of these Terms and Conditions by you.

11. Assignment

You may not sell, assign or transfer any of your rights, duties or obligations under these Terms and Conditions without the Company’s prior written consent. Metaplex reserves the right to assign or transfer these Terms and Conditions or any of its rights, duties and obligations hereunder to any third party.

12. Forum and Venue

THIS SECTION CONTAINS A BINDING ARBITRATION CLAUSE AND CLASS ACTION WAIVER. THEY AFFECT YOUR AND THE COMPANY’S RIGHTS CONCERNING THE RESOLUTION OF ANY DISPUTE BETWEEN YOU AND METAPLEX.

These Terms and Conditions and performance by you and the Company hereunder shall be construed in accordance with the laws of the State of California and applicable United States law, without giving effect to any conflict-of-laws principles that may provide for the application of the law of another jurisdiction. Any dispute or controversy arising from or relating to these Terms and Conditions or the enforcement of any provision of these Terms and Conditions must be arbitrated in San Francisco, California before a single arbitrator experienced in the software industry who is jointly selected and mutually approved by you and Metaplex or, if you and Metaplex are unable to or fail to agree on the selection of the arbitrator within fifteen (15) days of the demand for arbitration being served, who is appointed by Judicial Arbitration and Mediation Services (JAMS) in accordance with its rules. The arbitration will be administered by JAMS pursuant to its Comprehensive Arbitration Rules and Procedures (and in accordance with the expedited procedures in those rules). The arbitrator will require the non-prevailing party to pay for the costs of arbitration, including reasonable attorneys’ fees incurred by the prevailing party in connection with the arbitration. The results of the arbitration procedure will be considered confidential information of you and Metaplex. Any arbitration decision rendered will be final and binding, and judgment thereon may be entered in any court of competent jurisdiction. You and Metaplex agree that any proceeding to resolve or litigate any dispute hereunder, whether in arbitration or in court, will be conducted solely on an individual basis, and neither you nor Metaplex will seek to have any dispute heard as a class action, a representative action, a collective action, a private attorney-general action, or in any proceeding in which either you or Metaplex acts or proposes to act in a representative capacity. You and Metaplex further agree that no arbitration or proceeding will be joined, consolidated, or combined with another arbitration or proceeding without the prior written consent of all parties to such other arbitration or proceeding.

13. Confidentiality

You acknowledge that, in connection with your participation in the bounty program, you may be exposed to data and information, including product, technology, business, and strategy information that is confidential and proprietary to Metaplex (collectively, “Confidential Information”). All Confidential Information shall be the sole and exclusive property of the Company and may be used by you only for assisting the Company in resolving any Bug you have reported to Metaplex. You may not reveal, publish, or otherwise disclose the Confidential Information to any third party without the prior written consent of the Company, and shall protect the Confidential Information from disclosure using the same degree of care you use to protect your own confidential information of like kind, but in no event using less than reasonable care. For the avoidance of doubt, the issue and your report will not be considered Metaplex’s Confidential Information but may not be publicly disclosed until after Metaplex releases a security advisory and updates its software or service to resolve the issue reported.

14. General Provisions

These Terms and Conditions do not create any relationship of association, partnership, joint venture or agency between Metaplex and you. Neither Metaplex nor you will have any right or authority to assume, create or incur any liability or obligation of any kind against or in the name of the other party. These Terms and Conditions set forth the entire agreement and understanding between Metaplex and you with respect to the subject matter in these Terms and Conditions. These Terms and Conditions merge all previous discussions and negotiations between Metaplex and you and supersede and replace any and every other agreement, which may have existed between Metaplex and you with respect to the contents of these Terms and Conditions. The failure of either Metaplex or you to exercise any right granted under these Terms and Conditions, or to require the performance by the other party of any provision of these Terms and Conditions, or the waiver by either party of any breach of these Terms and Conditions, will not prevent a subsequent exercise or enforcement of such provisions or be deemed a waiver of any subsequent breach of the same or any other provision of these Terms and Conditions. If any provision of these Terms and Conditions shall be deemed unlawful, void or for any reason unenforceable, then that provision shall be deemed severable from these Terms and Conditions and shall not affect the validity and enforceability of any remaining provisions.

Last Updated: December 20, 2024