User data security is a key priority for Tilda. If you discover a potential vulnerability, please report it to us. We continuously improve our protection technologies and are open to collaboration.
These terms govern participation in the Tilda Bug Bounty Program. Please carefully review this document before beginning any research. If you do not agree with the terms, do not participate in the program and do not submit vulnerability reports.

The document consists of the following sections:
Definitions
Acceptance of the Terms and Conclusion of the Agreement
General Provisions
Review of the Report and Payment Procedure
Confidentiality
Intellectual Property Rights
Liability and Compensation for Losses
Personal Data
Miscellaneous
Contacts

If you have any questions related to the program's terms, please contact us at bugbounty@tilda.cc.

Terms – this document available at the address https://tilda.cc/lp/bugbounty/terms/.
Platform – a software suite located on the Internet at the address https://tilda.cc/, including databases and computer programs, individual modules, services, microservices, and APIs.
Customer – Tilda Platform Cloud Services Co. LLC, License 1110180, which is the administration of the Platform.
Researcher – a legally competent individual aged 18 years or older, who has a bank account in UAE dirhams, US dollars, or euros, and is performing the Work. Researchers cannot be former or current employees, contractors, or performers of the Customer or its affiliates.
Vulnerability – a technical flaw in the Platform's operation that may lead to a breach of confidentiality, including unauthorized access to data, account compromise, bypassing of authorization/data isolation mechanisms, or cause other significant negative financial, legal, or reputational consequences for the Customer, its affiliated entities, and/or the Platform's users. 
Report – a structured description of the identified Vulnerability, containing information necessary for its analysis, reproduction, and, optionally, remediation.
Work – activities for the search and detection of Vulnerabilities performed for the Customer. 
In the absence of a definition of a term in the text of the Terms, the interpretation of the term should be guided primarily by applicable law and, secondly, by the established and commonly used meaning on the Internet.

The Terms are an official proposal addressed to any interested person by the Customer to conclude an agreement with any potential Researcher.
By commencing the Work, the Researcher shall be deemed to have accepted the Terms, thereby forming a legally binding agreement. Acceptance of the Terms is permitted only in full; acceptance of the Terms with exceptions and/or partially is not permitted.

1.1. Scope of Work. The Researcher shall perform the Work, and the Customer shall review the results of the completed Work in the form of Reports and, where appropriate, make a decision regarding payment of remuneration. 
The Customer shall not assign specific tasks to the Researcher; the Work shall be carried out solely at the Researcher's initiative. The Work may be performed from the date of acceptance of the Terms until the Report is accepted by the Customer.
The Work may be performed only with respect to the Platform and its components explicitly specified in the Terms. The search for technical deficiencies in any other Customer systems, users’ projects created by means of the Platform’s functionality, as well as third-party services, including analytics services, data reception services, payment systems, email services, domain name purchases services, image banks (excluding technical deficiencies in third-party services which constitute technical deficiencies of integration / API on Customer’s side, for example incorrect data transmission, leakage of sensitive data or errors in integration logic) is are outside the scope of these Terms.

1.2. Report Submission. Upon completion of the Work, the Researcher shall send the Report to the Customer at the email address bugbounty@tilda.cc. Reports sent via other communication channels shall not be accepted or considered by the Customer.
The report should include a detailed description of the Vulnerability, including the specific module, service, microservice, and/or API where it was identified, the type of Vulnerability, steps to reproduce it, and optionally – recommendations for remediation. If necessary, the Report shall be supplemented with videos, screenshots, diagrams, and/or charts.
If during the performance of the Work the Researcher discovers several Vulnerabilities, the Researcher shall provide several Reports for each of the Vulnerabilities.

1.3. Prohibitions and Restrictions. When performing the Work, the Researcher shall be prohibited from:
1) perform actions that may lead to the disruption of the Platform's functionality or negatively affect the users of the Platform and other third parties, including DDoS attacks, stress testing, introduction of malicious code;
2) use destructive methods for finding vulnerabilities, in particular, using physical access to offices, data centers, or social engineering, including phishing attacks and spam mailings;
3) use the identified Vulnerabilities for any purposes not related to their good faith disclosure to the Customer;
4) access data of the Platform user and other third parties beyond what is objectively necessary to confirm the Vulnerability and/or compile the Report;
5) engage in unauthorized access to user accounts on the Platform;
6) engage in any unlawful and/or fraudulent actions aimed at obtaining rewards through deceit, forgery, abuse, and/or evasion of the Terms.
The Customer shall be entitled to unilaterally refuse to review the Report and/or pay the Researcher's remuneration at its sole discretion, if the Researcher violates the provisions of this clause, and if their actions have caused or may cause any negative consequences for the Customer.
In case of any doubts about the admissibility of certain actions during the execution of the Work, the Researcher must contact the Customer at the email address bugbounty@tilda.cc.

1.4. Release from Claims. Upon the Researcher's compliance with the Terms, including adherence to established prohibitions and restrictions, the Customer undertakes to:
1) consider the Work and actions of the Researcher as permitted;
2) not contact law enforcement agencies and not make civil claims against the Researcher in connection with the performance of the Work.

2.1. Review of the Report. After receiving the Report, the Customer shall review it within 30 days and decide whether there are grounds for accepting the Work and paying the Researcher. 
The Work shall be considered incomplete, and the Customer's obligation to pay the fee shall not arise in cases if:
1) the identified technical defect is not recognized as a Vulnerability in the context of the Terms, for example, if it is a typo, a visual defect, or an error not related to information security and/or does not lead to a breach of confidentiality;
2) as of the date of receiving the Report, the Vulnerability was already known to the Customer, including if information about the Vulnerability had been previously reported by another Researcher;
3) the Vulnerability was identified as a result of the Researcher's actions, which were conducted in violation of the Terms conditions;
4) the Report does not contain sufficient information to verify and/or confirm the existence of the Vulnerability;
5) the Vulnerability cannot be reproduced by the Customer.
The Researcher understands and acknowledges that the Customer has the right, at their discretion, to refuse acceptance of the Work and payment of remuneration in cases other than those provided for in the Terms.  
When deciding on payment of the remuneration, the Customer shall send a notification to the Researcher's email address used when submitting the Report. In the event that the Researcher has not received a notification from the Customer or has received an email denying payment of the reward, the Work shall be considered incomplete.

2.2. Amount of Remuneration and Sending of Notification. The range of the possible Researcher’s reward amount is from USD 25 to USD 3,000. The final amount of the Researcher's reward shall be determined by the Customer independently and depend on the severity of the Vulnerability, the ease of its reproduction, as well as the potential impact on the Customer, affiliated entities, and/or Platform users. 
The final amount of remuneration shall be specified by the Customer in the notification and include all expenses of the Researcher, including applicable taxes and fees.
The Customer shall not guarantee that the remuneration will meet the Researcher's subjective expectations. The amount of the remuneration shall be considered agreed upon from the date the Researcher receives notification from the Customer, shall be final, and may not be revised and/or contested in court.

2.3. Payment Procedure. Within 10 days from the date of sending the notification, the Researcher should provide the Customer with all necessary documents and information, including payment details, documents confirming identity and tax status. 
For the purposes of determining the amount of remuneration and accounting for expenses, the Customer may also require the Researcher to sign an invoice or agreement that may restate certain provisions of the Terms. 

The remuneration shall be paid, at the Researcher’s choice, in UAE dirhams, US dollars, or euros according to currency rate specified on the oanda.com on the date of payments within 30 days from the receipt of the necessary data and/or signing of documents by bank transfer to the Researcher’s account. 
In the event of failure to provide data and/or refusal to sign documents, the payment of remuneration may be postponed by the Customer until their receipt or signing. In the event that the necessary documents are not provided or signed within 30 days of the notification being sent, the Customer shall be entitled to suspend interaction with the Researcher and refuse to pay compensation.

2.4. Tax Obligations. The Researcher shall independently pay all mandatory taxes and charges required under applicable law, including personal income tax.
If the Researcher anticipates that value-added tax obligations may arise in connection with the payments received, the Customer recommends consulting a tax advisor or accountant.

3.1. Confidential Information. Technical information about the Platform, details about Vulnerabilities, the Researcher's reward amount, as well as any other information obtained during and/or as a result of the Work, including personal data, shall be treated as confidential by the Researcher (hereinafter referred to as the Confidential Information).

3.2. The Researcher's Obligations. The Researcher shall:
1) use the Confidential Information solely for the purpose of performing the Work;
2) not disclose or transfer the Confidential Information to third parties, including not publishing it in the media and/or on the Internet;
3) not perform acts or omissions that may result in disclosure or transmission of the Confidential Information to third parties;
4) not copy the Confidential Information to other computers, flash drives, or other media in any form and by any means;
5) take all necessary measures to safeguard the Confidential Information; 
6) notify the Customer in writing of any facts of misuse or illegal appropriation of the Confidential Information that become known to the Researcher.
The obligations provided for in this clause shall remain in effect for the duration of the agreement and for 15 years following termination of the Agreement, regardless of the grounds for termination.

3.3. Signing of a Separate Agreement. At the request of the Customer, the Researcher undertakes to sign a separate confidentiality agreement in the form provided by the Customer before starting the Work and/or at any moment during its execution. 
In the event that the Researcher refuses to sign a separate agreement, the Customer shall be entitled to suspend interaction with the Researcher, not consider submitted Reports, and/or refuse to pay the remuneration.

4.1. Rights to the Platform. The exclusive rights to the Platform, including all its constituent elements (databases, software, including individual modules, services, microservices, and APIs), belong to the copyright holder of the Platform. 
Performance of the Work shall under no circumstances entail assignment or granting of any rights to the Platform, its source code, architecture, technical solutions, or other results of intellectual activity to the Researcher.

4.2.  Assignment of Rights. When submitting the Report, the Researcher shall assign to the Customer the exclusive right to the materials contained in the Report in full, including the right to publish, copy, publicly use, translate, adapt, distribute, and otherwise use them.
By submitting the Report, the Researcher certifies that:
1) the Researcher is the sole author of the Report;
2) the Report and its use do not infringe on the rights and legal interests of third parties, including copyright and/or patent rights;
3) the assigned exclusive rights are free from any encumbrances, claims, and/or demands of third parties.
The Researcher shall give unconditional and irrevocable consent to the Customer to make reductions, additions to the Report, create derivative works based on it, as well as to use the Report without indicating the Researcher's name.
The Researcher shall not reserve the right to use the Report independently or to grant any rights to its use to third parties, either in whole or in part.

5.1. Limitation of the Customer's Liability. Under no circumstances shall the Customer be liable for any losses, property damage, direct or indirect damages incurred by the Researcher in connection with the performance of the Work.  
The Customer shall not be liable for any other actions or events unless otherwise expressly stated in the Terms, including:
1) impossibility of performing the Work for reasons beyond the control of the Customer;
2) account suspension and/or automatic restriction of project publication on the Platform, caused by the performance of the Work; 
3) refusal to pay the remuneration or the remuneration amount not meeting the Researcher's subjective expectations.
If, according to the applicable law, limitation of liability specified in this section shall not apply, the aggregate financial liability of the Customer to the Researcher may not exceed 150 US dollars.

5.2. Liability of the Researcher and Compensation for Losses. In the event of a breach of the Terms or a violation of the rights and legitimate interests of third parties, or applicable legal requirements, the Researcher shall be obliged to indemnify the Customer against any claims, disputes, demands, liabilities, damages, losses, and expenses.
The Researcher undertakes to compensate the Customer for any losses caused due to a violation of the Terms, including cases of violation of any of the prohibitions and/or restrictions. Losses shall be compensated as provided by applicable law.
The Researcher acknowledges that as a result of the unauthorized use of the Customer's Confidential Information, irreparable harm may be caused to the Customer. In addition to the compensation for damages provided for in the Terms, the Researcher shall also be obliged to pay the Customer a penalty of 6,000 US dollars for each instance of disclosure or other unauthorized use of the Confidential Information.

When performing the Work, the Researcher may provide the Customer with their personal data. Such information shall be processed by the Customer based on the agreement in accordance with the Privacy Policy, with the terms of which the Researcher agrees by accepting the provisions of the Terms.

7.1 Term of the Agreement. The agreement shall come into force from the moment the Researcher accepts the conditions in the manner provided for by the Terms and remain in effect until it is terminated.
The Customer shall be entitled to unilaterally terminate the agreement at any time by sending the corresponding notification to the Researcher's email address used for sending the Report. The Researcher shall be entitled to unilaterally terminate the agreement at any time by ceasing performance of the Work.

Termination of the agreement shall not affect the validity of the provisions of the Terms which, by their nature, should remain in force after termination of the agreement, including provisions on confidentiality and liability.

7.2. Procedure for Amending the Terms. The Terms may be unilaterally amended by the Customer through the publication of a new version on the Internet. The Researcher may review the current version of the Terms here.

Any amendments to the Terms shall come into effect on the day following the day the amended version of the Terms are published. The Researcher undertakes to independently review the Terms for amendments and shall bear the risk of adverse consequences caused by not familiarizing themselves with the amended version of the Terms.

7.3. Invalidity of Provisions. Invalidity of one or more provisions of the Terms, recognized in accordance with the established procedure by a court decision that has entered into legal force, shall not entail the invalidity of the Terms as a whole. 
In the event that one or more provisions of the Terms are declared invalid in accordance with the established procedure, the Customer and the Researcher shall be obliged to fulfill their commitments as closely as possible to the original intent of the parties at the time of acceptance of the Terms.

7.4. Applicable Law and Languages. The provisions of the Terms and the relations between the Customer and the Researcher arising out of or in connection with the Terms shall be governed and interpreted in accordance with the laws of England and Wales without regard to the conflicts of laws provisions thereof.
The Terms is drawn up in English and may be provided to the Researcher for review in another language. In the event of a discrepancy between the English version of the Terms and the version of the Terms in another language, the provisions of the English version shall apply.

7.5. Dispute Resolution. All disputes between the Customer and the Researcher shall be resolved through correspondence and negotiations using a mandatory pre-trial (claim) procedure, unless otherwise provided for by the applicable law.
In the event that an agreement cannot be reached between the parties through negotiations within 30 days from the moment the other party receives a written claim, the dispute shall be referred by any interested party to Courts of the Dubai International Financial Centre which rules are deemed to be incorporated by reference into this clause.
The language to be used in the arbitral proceedings shall be English. The number of arbitrators shall be one. The place of arbitration shall be Dubai, UAE, DIFC freezone, unless otherwise expressly provided for by the applicable laws.

Customer’s Details: Tilda Platform Cloud Services Co. LLC, License 1110180, P.O. Box number 452972, Dubai, UAE, bugbounty@tilda.cc