Vulnerability Disclosure


Program overview

The Program enables users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to needl about needl’s products and services for a chance to earn rewards determined by needl in its sole discretion. The decisions made by needl regarding rewards are final and binding. needl may change or cancel this Program at any time, for any reason.

Changes to these terms

We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.

Programme eligibility

You are eligible to participate in the Program if you meet all of the following criteria:

a. You are 14 years of age or older. If you are at least 14 years old but are considered a minor, you must obtain your parent's or legal guardian's permission prior to participating in this Program; and

b. You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.

Submission process

If you believe you have identified a Vulnerability that meets the applicable requirements set forth by needl, you may submit it to needl, in accordance with the following process.

Each Vulnerability submitted to Needl shall be a "Submission." Submissions must be sent to ciso@needl.ai. In the initial email, specify the Vulnerability details, and specific product/software/service version you used to validate your research. Please also include as much of the following information as possible:

a. type of issue;
b. any special configuration required to reproduce the issue;
c. step-by-step instructions to reproduce the issue on a fresh install;
d. proof-of-concept or exploit code;
e. impact of the issue, including how an attacker could exploit the issue

If you do not receive a confirmation email after making your Submission, notify Needl at ciso@needl.ai to ensure your Submission was received.

There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for.

Submission License

needl is not claiming any ownership rights to your Submission. However, by providing any Submission to needl, you:

a. grant needl the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyse your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);

b. agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;

c. understand and acknowledge that needl may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;

d. understand that you are not guaranteed any compensation or credit for use of your Submission; and

Confidentiality of submissions/ restrictions on disclosure

Protecting customers is needl's highest priority. We endeavour to address each Vulnerability report in a timely manner. While we are doing that, we require that the Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions.

You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the Vulnerability is fixed. needl will notify you when the Vulnerability in your Submission is fixed.

Violations of this section could disqualify you from participating in the program in the future.

Submission review process

After a Submission is sent to needl in accordance with this programme, needl engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

needl retains sole discretion in determining which Submissions are qualified, according to the rules set by needl.

Public recognition

needl may publicly recognize individuals who have submitted vulnerability reports which helped needl to fix any probably vulnerability(ies) in the system. needl at it is discretion may recognize you on its website unless you explicitly ask us not to include your name.

Expected behaviour from you

By participating in the Program, you will follow these rules:
a. Don’t do anything illegal.
b. Don't engage in any activity that exploits, harms, or threatens to harm children.
c. Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
d. Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
e. Don't engage in activity that is false or misleading.
f. Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
g. Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
h. Don't help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future.

No Warranties

needl, and our affiliates, make no warranties, express or implied, guarantees or conditions with respect to the program. You understand that your participation in the program is at your own risk. To the extent permitted under your local law, we exclude any implied warranties in connection with the program. You may have certain rights under your local law. Nothing in these terms is intended to affect those rights, if they are applicable.

Limitation of liability & binding arbitration

If you have any basis for recovering damages in connection with the, you agree that your exclusive remedy is to recover, from needl direct damages up to $100. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitation.

Applicable Laws

Laws as are applicable in India will govern the relationship between needl and you.

If you do not agree to these terms, please do not send us any submissions or otherwise participate in this program.