1. Introduction
These Terms of Service (“Terms”) govern your access to and use of the Vulnerability Research Hub (“VRH” or “Platform”), a web-based platform operated by Crowdfense Ltd (“Crowdfense”, “we”, “us”, or “our”). VRH is the researcher-facing interface through which security researchers may submit zero-day vulnerability research to Crowdfense and collaborate with our analyst team.
By registering for an account or using the Platform, you (“Researcher”, “you”, or “your”) agree to be bound by these Terms in full. If you are registering on behalf of a legal entity, you represent that you have authority to bind that entity, and references to “you” shall include that entity.
If you do not accept these Terms, you must not register for or use the Platform.
2. Definitions
The following terms have the meanings set out below:
- “Submission” means any zero-day vulnerability, technical specification, proof-of-concept, supporting material, or other research content that you submit to Crowdfense via the Platform.
- “Zero-Day Vulnerability” means a previously undisclosed security vulnerability in a software or hardware product for which no vendor-issued patch or public fix is available at the time of submission.
- “Analyst” means a member of the Crowdfense technical team responsible for reviewing, triaging, and evaluating Submissions.
- “Confidential Information” means any non-public information disclosed by either party to the other in connection with a Submission or the Platform, including but not limited to the technical details of any Submission, evaluation outcomes, pricing discussions, and client interest.
- “Acquisition Agreement” means a separate written agreement executed between Crowdfense and the Researcher governing the terms of purchase of a specific Submission, including compensation.
- “Platform” means the VRH web-based application, including all features, tools, messaging functions, and associated services made available to Researchers by Crowdfense.
3. Eligibility and Registration
3.1 Eligibility
The Platform is open to both individuals and legal entities. By registering, you represent and warrant that:
- You are at least 18 years of age, or the minimum legal age of majority in your jurisdiction if higher;
- If registering as a legal entity, the entity is duly formed and in good standing under applicable law;
- Your use of the Platform does not violate any applicable law, regulation, or obligation by which you are bound;
- You have not been previously suspended or permanently banned from the Platform.
3.2 Account Creation
Registration is open to any eligible individual or entity. You must provide accurate, complete, and current information during registration and keep your account details up to date. You are responsible for maintaining the confidentiality of your login credentials and for all activity that occurs under your account. You must notify Crowdfense immediately at [email protected] if you suspect any unauthorised use of your account.
3.3 Account Verification
Crowdfense reserves the right to verify your identity, conduct due diligence checks, or request additional information before or after granting access. We may decline or suspend access if verification cannot be completed to our reasonable satisfaction.
4. Platform Access
Subject to these Terms, Crowdfense grants you a limited, non-exclusive, non-transferable, revocable right to access and use the Platform solely for the purpose of submitting zero-day vulnerability research and collaborating with Crowdfense Analysts.
You must not: (a) sublicense, sell, resell, transfer, or assign your access rights; (b) use the Platform for any purpose other than as described in these Terms; or (c) permit any third party to access the Platform using your credentials.
Crowdfense may update, modify, or temporarily suspend the Platform at any time for maintenance or operational reasons and will endeavour to provide reasonable notice where practicable.
5. Submissions
5.1 Scope of Submissions
The Platform accepts Submissions relating to Zero-Day Vulnerabilities only. Submissions relating to known, patched, or publicly disclosed vulnerabilities will not be evaluated and may be closed without further engagement.
5.2 Submission Format
Researchers are required to provide an initial minimal technical specification describing the vulnerability at a high level. Crowdfense Analysts may request additional technical details or clarification through the Platform’s messaging function during the evaluation process. You agree to engage in good faith with any such requests within a reasonable timeframe.
5.3 Submission Lifecycle
Submissions progress through the following status stages, which are visible to you within the Platform:
- Submitted: Your submission has been received.
- Evaluating: The Analyst team is conducting the initial review.
- Triaging: The item is undergoing the Acceptance Testing.
- Feedback Required: Crowdfense has requested additional information or clarification.
- Accepted: Crowdfense has purchased the submitted item.
- Rejected: The submission does not meet Crowdfense’s current acquisition criteria.
- Closed: The Submission process has concluded, whether through agreement, rejection, or withdrawal.
Crowdfense does not guarantee any particular timeline for progression through these stages, and the evaluation process is conducted entirely at Crowdfense’s discretion.
5.4 Collaboration
Where Crowdfense assigns multiple Researchers to collaborate on a single Submission, each Researcher acknowledges that other contributors may have access to the Submission details within the Platform. Each collaborating Researcher remains individually bound by these Terms, including the confidentiality obligations in Section 7.
5.5 Non-Exclusive Submissions
Crowdfense accepts non-exclusive Submissions. You are not required to certify that a Submission has not been shared with or offered to third parties. However, you must disclose at the time of submission whether the same vulnerability has been submitted to, or is under active review by, any other party. Failure to make such disclosure may result in termination of the evaluation and cancellation of any resulting Acquisition Agreement.
5.6 No Obligation to Acquire
The submission and evaluation process does not create any obligation on the part of Crowdfense to acquire, purchase, or compensate you for any Submission. Crowdfense may decline to proceed with any Submission at any stage, for any reason or no reason, without liability to you.
6. Compensation
Compensation for any Submission that Crowdfense elects to acquire is governed exclusively by a separate Acquisition Agreement between you and Crowdfense. These Terms do not create any entitlement to payment. No compensation shall be due unless and until a valid Acquisition Agreement has been signed by both parties.
7. Confidentiality
7.1 Mutual Obligations
Each party agrees to keep the other party’s Confidential Information strictly confidential and not to disclose it to any third party without the prior written consent of the disclosing party. Each party agrees to use the other party’s Confidential Information solely for the purposes of evaluating and, where applicable, completing an acquisition under these Terms.
7.2 Researcher Obligations
You must not disclose to any third party: (a) the fact that a Submission is under review by Crowdfense; (b) any feedback, pricing indication, or commercial terms communicated by Crowdfense; or (c) any information concerning Crowdfense’s clients, acquisition criteria, or internal processes that becomes known to you through your use of the Platform.
7.3 Exceptions
Confidentiality obligations do not apply to information that: (a) is or becomes publicly available through no fault of the receiving party; (b) was already known to the receiving party prior to disclosure; (c) is independently developed by the receiving party without use of the Confidential Information; or (d) is required to be disclosed by applicable law or court order, provided the disclosing party is given prompt written notice and a reasonable opportunity to seek a protective order.
7.4 Duration
Confidentiality obligations shall survive termination or expiry of these Terms for a period of three (3) years.
8. Intellectual Property
8.1 Ownership
You retain ownership of any intellectual property rights in your Submissions until and unless an Acquisition Agreement is executed, at which point ownership and/or licensing rights shall be governed exclusively by that agreement.
8.2 Licence to Evaluate
By submitting research via the Platform, you grant Crowdfense a limited, non-exclusive, royalty-free licence to access, review, and technically evaluate the Submission for the sole purpose of determining whether to enter into an Acquisition Agreement with you. This licence does not extend to any commercial use, onward disclosure, or monetisation of the Submission prior to execution of an Acquisition Agreement.
8.3 Researcher Warranties
You represent and warrant that: (a) you are the sole author or have the authority to submit the research; (b) the Submission does not infringe any third-party intellectual property rights; and (c) no third-party consents or approvals are required for Crowdfense to evaluate the Submission.
9. Researcher Conduct
You agree not to use the Platform to:
- submit knowingly false, fabricated, or misleading technical information;
- upload malware, exploits, or any code intended to harm Crowdfense’s systems or personnel;
- attempt to gain unauthorised access to any part of the Platform or Crowdfense’s infrastructure;
- harass, threaten, or abuse Crowdfense personnel;
- use automated tools, bots, or scrapers to interact with the Platform;
- impersonate any other person or entity.
Crowdfense reserves the right to remove any content and suspend or terminate any account where these obligations are breached.
10. Disclaimers and Limitation of Liability
10.1 Platform Availability
The Platform is provided on an “as is” and “as available” basis. Crowdfense does not warrant that the Platform will be error-free, uninterrupted, or free from security vulnerabilities. To the fullest extent permitted by applicable law, Crowdfense disclaims all warranties, express or implied, including any implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
10.2 Limitation of Liability
To the fullest extent permitted by law, Crowdfense shall not be liable to you for any indirect, incidental, special, consequential, or punitive damages arising out of or related to these Terms or your use of the Platform, including but not limited to loss of profit, loss of revenue, loss of anticipated savings, or loss of data.
Crowdfense’s total aggregate liability to you under or in connection with these Terms shall not exceed one hundred pounds sterling (GBP 100).
10.3. Exceptions
Nothing in these Terms shall limit or exclude liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited under applicable law.
11. Term and Termination
11.1. Term
These Terms come into effect on the date you register your account and continue until terminated.
11.2 Termination by You
You may terminate your account and these Terms at any time by submitting a written request to Crowdfense. Termination will not affect any Acquisition Agreement already in force.
11.3. Termination by Crowdfense
Crowdfense may suspend or terminate your account and these Terms at any time, with immediate effect and without prior notice, if: (a) you breach any provision of these Terms; (b) we reasonably suspect fraud, misrepresentation, or unlawful conduct; or (c) we determine, in our sole discretion, that continued access is not in our commercial or operational interests, in which case reasonable notice will be provided where practicable.
11.4. Effect of Termination
On termination: (a) your right to access the Platform ceases immediately; (b) confidentiality and intellectual property provisions, and any other provisions that by their nature should survive, shall continue in full force; and (c) any Acquisition Agreement already executed remains binding on its own terms.
12. Changes to These Terms
Crowdfense may update these Terms from time to time. Your continued use of the Platform constitutes automatic acceptance of the revised Terms. If you do not accept the changes, you must stop using the Platform and request termination of your account.
13. Governing Law and Disputes
These Terms and any dispute or claim arising out of or in connection with them (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England and Wales.
The parties irrevocably agree that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with these Terms.
14. General
Entire Agreement. These Terms, together with any Acquisition Agreement, constitute the entire agreement between the parties in relation to the Platform and supersede all prior representations, agreements, or understandings.
Severability. If any provision of these Terms is found to be unenforceable, it shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall continue in full force.
Waiver. No failure or delay by Crowdfense in exercising any right under these Terms shall operate as a waiver of that right.
Assignment. You may not assign or transfer your rights or obligations under these Terms without the prior written consent of Crowdfense. Crowdfense may assign these Terms freely, including to any successor entity or in connection with a merger or acquisition.
Notices. All notices to Crowdfense under these Terms should be sent in writing to [email protected]. Notices to you will be sent to the email address associated with your account.
No Partnership. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship between you and Crowdfense.
