Rippling Vulnerability Reporting Terms and Conditions

Last Updated: August 16, 2021

The Rippling Vulnerability Reporting Program Terms and Conditions ("Terms") cover your participation in the Rippling Vulnerability Reporting Program (the "Program"). These Terms are between you and Rippling ("Rippling," "us" or "we"). By submitting any vulnerabilities to Rippling or otherwise participating in the Program in any manner, you accept these Terms.

PROGRAM OVERVIEW

The Program enables users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to Rippling about Rippling products and services ("Products") for a chance to earn rewards in an amount determined by Rippling in its sole discretion ("Bounty"). The decisions made by Rippling regarding Bounties are final and binding. Rippling may change or cancel this Program at any time, for any reason.

CHANGES TO THESE TERMS

We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.

If you wish to opt-out of the Program and not be considered for Bounties, contact us at bounty@rippling.com. Opting out will not affect any licenses granted to Rippling in any Submissions provided by you.

PROGRAM ELIGIBILITY

You ARE eligible to participate in the Program if you meet all of the following criteria:

  • You are 14 years of age or older. If you are at least 14 years old but are considered a minor in your place of residence, you must obtain your parent's or legal guardian's permission prior to participating in this Program; and
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program. 

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions (see link for current sanctions list posted by the United States Treasury Department) or any other country that does not allow participation in this type of program;
  • You are under the age of 14;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
  • You are currently an employee of Rippling or a Rippling subsidiary, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to providing us your Submission you were an employee of Rippling or a Rippling subsidiary;
  • You currently (or within six months prior providing to us your Submission) perform services for Rippling or a Rippling subsidiary in an external staff capacity that requires access to the Rippling Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor; or
  • You are or were involved in any part of the development, administration, and/or execution of this Program.

It is your responsibility to comply with any policies that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All payments will be made in compliance with local laws, regulations, and ethics rules. Rippling disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to enter depending upon your local law.

SUBMISSION PROCESS

If you believe you have identified a Vulnerability, you may submit it to Rippling through the process described at https://www.rippling.com/vulnerability-reporting

Depending on the detail of your Submission, Rippling may award a Bounty of varying scale. Well-written reports and functional exploits are more likely to result in Bounties. Those Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties.

Rippling is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Rippling at bounty@rippling.com to ensure your Submission was received.

There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for.

If you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.

SUBMISSION LICENSE

Rippling is not claiming any ownership rights to your Submission. However, by providing any Submission to Rippling, you:

  • grant Rippling the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
  • understand and acknowledge that Rippling may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
  • understand that you are not guaranteed any compensation or credit for use of your Submission; and
  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Rippling.

CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE

Protecting customers is Rippling's highest priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Rippling will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

SUBMISSION REVIEW PROCESS

After a Submission is sent to Rippling in accordance with these Terms, Rippling engineers will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive.

Rippling retains sole discretion in determining which Submissions are qualified, according to the rules set forth in the Product Program Terms. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to Rippling, we may award a differential to the person submitting the duplicate report.

If you report a Vulnerability without a functioning exploit, you may be eligible for a partial Bounty. If you submit the functioning exploit within 90 days of submitting the Vulnerability, we may, in our discretion, provide an additional Bounty payment (but are not obligated to do so).

BOUNTY PAYMENTS

The decisions made by Rippling regarding Bounties are final and binding.

If we have determined that your Submission is eligible for a Bounty under the Program Terms, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.

If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

If your Submission qualifies for a Bounty, please note:

  • you may not designate someone else as the Bounty recipient unless you are considered a minor in your place of residence;
  • if you are eligible for this Program but are considered a minor in your place of residence, we may award the Bounty to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf. The Bounty will be added to the taxable income of your parent/legal guardian;
  • if you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and
  • if you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

CODE OF CONDUCT

By participating in the Program, you will follow these rules:

  • Don’t do anything illegal.
  • Don't engage in any activity that exploits, harms, or threatens to harm children.
  • Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Don't share inappropriate content or material (involving, for example, nudity, bestiality, pornography, graphic violence, or criminal activity).
  • Don't engage in activity that is false or misleading.
  • Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, communicating hate speech, or advocating violence against others).
  • Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Don't help others break these rules.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.

SAFE HARBOR

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

  • Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms of Service and/or Acceptable Usage Policy that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report to bounty@rippling.com before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

NO WARRANTIES

RIPPLING, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

LIMITATION OF LIABILITY & BINDING ARBITRATION

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from Rippling or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

BINDING ARBITRATION AND CLASS ACTION WAIVER If You Live In (or If a Business Your Principal Place of Business Is In) the United States

We hope we never have a dispute, but if we do, you and we agree to try for 60 days to resolve it informally. If we can't, you and we agree to pursue the dispute resolution procedures detailed below. 

Agreement to Arbitrate. ANY DISPUTE OR CLAIM RELATING IN ANY WAY TO THE PROGRAM OR THESE TERMS SHALL BE RESOLVED BY BINDING, INDIVIDUAL ARBITRATION, RATHER THAN IN COURT. THE TERMS IN THIS SECTION ARE REFERRED TO AS THE “ARBITRATION AGREEMENT.” THIS ARBITRATION AGREEMENT APPLIES TO ALL SUCH CLAIMS, BROUGHT UNDER ANY LEGAL THEORY, UNLESS THE CLAIM FITS IN ONE OF THE EXCEPTIONS IDENTIFIED IN THE “EXCEPTIONS TO AGREEMENT TO ARBITRATE” SECTION BELOW.

This arbitration agreement is governed by the Federal Arbitration Act (FAA), including its procedural provisions, in respects. This means that the FAA governs, among other things, the interpretation and enforcement of this arbitration agreement and all of its provisions, including, without limitation, the class action waiver discussed below. State arbitration laws do not govern in any respect.

This arbitration agreement is intended to be broadly interpreted and will survive termination of this Agreement. The arbitrator, and not any federal, state or local court or agency, shall have exclusive authority to the extent permitted by law to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability, or formation of this Agreement, including, but not limited to, any claim that all or any part of this agreement is void or voidable. If the parties have a dispute about whether this arbitration agreement can be enforced, whether this arbitration agreement applies to a dispute, or any other dispute about the meaning or scope of this arbitration agreement, the parties agree that the arbitrator shall have exclusive authority to resolve the dispute.

There is no judge or jury in arbitration, and court review of an arbitration award is limited. However, an arbitrator can award on an individual basis the same damages and relief as a court (including injunctive and declaratory relief or statutory damages) and must follow this Agreement as a court would. For the avoidance of doubt, the arbitrator can award public injunctive relief.

In the event this arbitration agreement is for any reason held to be unenforceable or inapplicable to a claim, any litigation against Rippling (except for the intellectual property and small claims actions described in “Exceptions to Agreement to Arbitrate” below) may be commenced only in a federal or state court located within San Francisco County, California, and both parties consent to the jurisdiction of those courts for such purposes.

Exceptions to Agreement to Arbitrate. You and Rippling agree that the agreement to arbitrate will not apply to any disputes relating to your or Rippling’s intellectual property (e.g., trademarks, trade dress, domain names, trade secrets, copyrights or patents) and that such disputes may be brought in any court that has jurisdiction over such claims. Also, either party can bring a claim in small claims court in San Francisco, California (or small claims court in another place if both parties agree in writing), if it qualifies to be brought in that court.

Details of Arbitration Procedure.

(a) Informal Resolution. You and Rippling agree that good-faith informal efforts to resolve disputes often can result in a prompt, low-cost and mutually beneficial outcome. Prior to demanding or filing any arbitration, you and Rippling agree to personally meet and confer, in person or by videoconference, in a good-faith effort to resolve informally any claim covered by this arbitration agreement. If you are represented by counsel, your counsel may participate in the conference, but you shall also fully participate in the conference. The party initiating the claim must give notice to the other party in writing of its, his, or her intent to initiate an informal dispute resolution conference, which shall occur within 60 days after the other party receives such notice, unless an extension is mutually agreed upon by the parties. To notify Rippling that you intend to initiate an informal dispute resolution conference, email notices@rippling.com with the subject “INFORMAL DISPUTE RESOLUTION REQUEST” and provide your name, the telephone number associated with your Rippling account, the email address associated with your email account, and a description of your claim. In the interval between the party receiving such a notice and the informal dispute resolution conference, the parties shall be free to attempt to resolve the initiating party’s claims. Engaging in an informal dispute resolution conference is a requirement that must be fulfilled before commencing arbitration. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the informal dispute resolution process described in this paragraph.

(b) If the informal dispute resolution process does not result in a resolution of the dispute within 60 days after the conference is held, either party may initiate an arbitration proceeding under the rules of the AAA. AAA’s rules and procedures are available on their website available at http://www.adr.org or Customer can call them at 1-800-778-7879. The arbitration will be governed by the then-current version of AAA’s Commercial Arbitration Rules (the "AAA Rules") and will be held before a single arbitrator appointed in accordance with the AAA Rules. To the extent anything described in this agreement to arbitrate conflicts with the AAA Rules, the language of this agreement to arbitrate applies. Any arbitration will be conducted in San Francisco, California, or in another location that both parties agree to in writing.

(c) Discovery. Each party will be entitled to get a copy of non-privileged relevant documents in the possession or control of the other party and each party may take one (1) deposition. All such discovery will be in accordance with procedures approved by the arbitrator. This agreement to arbitrate does not alter in any way the statute of limitations that would apply to any claims or counterclaims asserted by either party.

(d) Arbitration Award. The arbitrator’s award will be based on the evidence admitted and the substantive law of the State of California and the United States, as applicable, and will contain an award for each issue and counterclaim. The award will provide in writing the factual findings and legal reasoning for such award. The arbitrator will not be entitled to modify this Agreement, and may not award any relief that is inconsistent with this Agreement.

(e) Final and Binding. Except as provided in the Federal Arbitration Act, the arbitration award will be final and binding on the parties. Judgment may be entered in any court of competent jurisdiction.

Class Action Waiver. You and Rippling agree that any claims or controversies between the parties must be brought against each other on an individual basis only, and not in a class, consolidated, or representative action. That means neither you nor Rippling can bring such a claim as a plaintiff or class member in a class action, consolidated action, or representative action. The arbitrator cannot combine or consolidate more than one person’s or one entity’s claims into a single case, and cannot preside over any consolidated, class or representative proceeding (unless all parties agree otherwise in writing). Further, the arbitrator’s decision or award in one person’s or entity’s case can only impact the person or entity that brought the claim, not other entities or Rippling customers, and cannot be used to decide other disputes with other customers. YOU AGREE TO WAIVE ANY RIGHT TO A JURY TRIAL, YOU AGREE TO WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-WIDE OR REPRESENTATIVE ARBITRATION, AND YOU AGREE TO WAIVE ANY RIGHT TO PARTICIPATE IN ANY CLASS ACTION LAWSUIT (INCLUDING FOR ANY CLAIM THAT IS DETERMINED NOT TO BE SUBJECT TO ARBITRATION UNDER THESE TERMS). If a court decides that this class action waiver is not enforceable or valid, then the entire agreement to arbitrate will be null and void, but the rest of this Agreement will still apply.

CHOICE OF LAW AND PLACE TO RESOLVE DISPUTES

If you live in (or, if a business, your principal place of business is in) the United States, the laws of the state where you live govern all claims, regardless of conflict of laws principles, except that the Federal Arbitration Act governs all provisions relating to arbitration. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in San Francisco County, California, for all disputes arising out of or relating to these Terms or the Program that are heard in court (excluding arbitration and small claims court).

MISCELLANEOUS

These Terms constitute the entire agreement between you and Rippling for your Participation in the Program. It supersedes any prior agreements between you and Rippling regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court or arbitrator holds that we can't enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won't change.

UNSOLICITED IDEAS

Other than your Submission, Rippling does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Rippling through the Program or otherwise, Rippling makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.