1. Introduction

At nitro-ai.org, we prioritize the security of our users and the integrity of our platform. To bolster our defenses, we invite security researchers to identify and report vulnerabilities through our Bug Bounty Program. This initiative aims to foster collaboration between nitro-ai.org and the security community to maintain a safe environment for all users.

2. Scope

The Bug Bounty Program covers vulnerabilities found in the following areas:

• The judge.nitro-ai.org website for accidentally discovered vulnerabilities and judge-staging.nitro-ai.org
• APIs and services provided by jude-staging.nitro-ai.org
• User authentication and authorization mechanisms
• Data storage and management systems

Out-of-scope vulnerabilities include:

• Third-party applications or services
• Denial of Service (DoS) attacks, including financial abuse and resource exhaustion attacks
• Social engineering attacks
• Physical security issues

3. Eligibility

To participate in the Bug Bounty Program, users must:

• Adhere to legal guidelines and avoid violating any laws or regulations
• Respect user privacy and avoid accessing or compromising user data
• Refrain from public disclosure of vulnerabilities before they are addressed

4. Reporting Guidelines

When reporting a vulnerability, please provide:

• A detailed description of the vulnerability, including its location and potential impact
• Steps to reproduce the vulnerability, accompanied by screenshots or proof-of-concept code

Reports should be submitted through our Bug Bounty Submission Form.

5. Program Terms

• nitro-ai.org reserves the right to modify or terminate the Bug Bounty Program at any time without prior notice.
• Rewards are granted at the sole discretion of nitro-ai.org and are subject to applicable laws and regulations.
• Users must not engage in activities that could harm nitro-ai.org's systems or users.
• Participation in the program constitutes acceptance of these terms.

6. Prohibited Activities

The following activities are strictly prohibited and are considered illegal:

• Attacking or attempting to exploit the production environment.
• Performing any actions that could harm the availability, integrity, or confidentiality of our systems or data.
• Accessing, modifying, or deleting data that does not belong to you.
• Using automated tools or scanners that may disrupt the production environment.
• Social engineering, phishing, or physical attacks against employees, customers, or infrastructure.
• Attempting to exhaust available resources or to cause a high bill from 3rd party providers.
• Any activity that violates applicable laws or regulations.

7. Responsible Disclosure

If you discover a vulnerability, you must:

• Report it to us immediately through the designated reporting channel.
• Provide detailed information about the vulnerability, including steps to reproduce it.
• Refrain from publicly disclosing the vulnerability until we have had sufficient time to address it.
• Cooperate with us to validate and resolve the issue.

8. Legal Compliance

By participating in this Bug Bounty Program, you agree to comply with all applicable laws and regulations. Any unauthorized access, testing, or exploitation of our systems, especially in the production environment, will be considered a violation of the law and may result in civil or criminal penalties.

9. Safe Harbor

We will not pursue legal action against researchers who comply with the terms of this Bug Bounty Program and act in good faith to responsibly disclose vulnerabilities. However, this safe harbor does not apply to individuals who engage in prohibited activities or violate the terms of this program.

10. Amendments

We reserve the right to modify the terms of this Bug Bounty Program at any time. Participants are responsible for reviewing the terms regularly to ensure compliance.

For any inquiries regarding the Bug Bounty, contact us at: [email protected] [email protected]