Legal
Researcher Terms & Conditions
Last updated: 24 April 2026. These terms form a binding agreement between you (the Researcher) and VibeBounty Ltd ("VibeBounty", "we", "us").
1. Definitions
"Platform" means the VibeBounty web application and associated services. "Program" means a bug bounty program operated by a Developer on the Platform. "Report" means a vulnerability submission you make against a Program. "Developer" means the registered developer-role user who operates a Program.
2. Eligibility
You must be at least 18 years old and legally permitted to conduct security research in your jurisdiction. Creating a Researcher account is free. By registering you confirm you meet these requirements.
3. Report Quality & Authenticity (Key Term)
You agree that every Report you submit must be the product of your own genuine manual security research.
Specifically, you must not:
- Submit Reports that are wholly or substantially generated by an AI assistant, language model, or automated scanner without meaningful human verification and original analysis.
- Submit speculative, untested, or template-based Reports that lack reproduction steps you have personally verified.
- Pad Reports with boilerplate content, generic CVE descriptions, or copied vulnerability write-ups from other sources.
- Submit duplicate Reports for the same vulnerability you have already reported, on this Platform or elsewhere.
Submitting low-quality or AI-generated ("slop") Reports will result in reputation penalties, submission restrictions, and may lead to permanent account suspension.
4. Non-Disclosure Obligation (Key Term)
You must not publicly disclose any information about a vulnerability you have reported until one of the following conditions is met:
- The Developer has formally accepted the Report and given written permission for disclosure.
- The Developer has formally rejected the Report and you have waited at least 14 days following rejection.
- 90 days have elapsed since submission with no response from the Developer (VibeBounty will notify you when this window opens).
"Public disclosure" includes blog posts, social media, conference talks, CVE requests, code repository commits, or any other communication that could identify the vulnerability or the affected product to third parties.
Breaching this obligation will result in immediate account suspension and may expose you to legal liability from the affected Developer.
5. Responsible Testing
You must only test within the explicit scope defined by each Program. You must not:
- Attempt denial-of-service attacks or any testing that degrades service availability.
- Access, download, or exfiltrate real user data beyond the minimum necessary to demonstrate the vulnerability.
- Destroy, alter, or corrupt data on any production system.
- Use automated scanners at a volume that causes meaningful server load without prior written permission from the Developer.
- Test against systems not listed in the Program scope, even if those systems appear related to the target.
6. Payouts
Payouts are at the Developer's discretion based on the configured bounty tiers for the Program at the time of submission. VibeBounty does not guarantee payment for any Report. Accepted Reports must be paid by the Developer within 48 hours. Researcher payouts are paid net of estimated Stripe processing fees and accepted bounty payouts are final inside VibeBounty. If a Developer fails to pay, report the issue to VibeBounty and we will escalate on your behalf. Payouts are processed via Stripe Connect to your connected bank or debit account.
7. Reputation Credits
Your account operates on a reputation credit system. Credits are consumed on each submission and refunded on acceptance. Repeated low-quality submissions, violations of these Terms, or bad-faith activity will reduce your credits. Reaching zero credits results in an automatic submission ban. Credits cannot be purchased or transferred.
8. Prohibited Conduct
You must not: impersonate another researcher; collude with a Developer to manufacture fraudulent Reports; attempt to extort a Developer by threatening disclosure; submit Reports for vulnerabilities you introduced yourself; or use the Platform for any purpose other than good-faith security research.
9. Intellectual Property
By submitting a Report you grant VibeBounty and the relevant Developer a perpetual, non-exclusive licence to use the Report content for remediation and internal security purposes. You retain moral rights over your original work. You represent that the Report is your own original work and does not infringe any third party's rights.
10. Limitation of Liability
VibeBounty is a marketplace platform. We do not guarantee that submitted Reports will receive a response, be accepted, or result in payment. To the fullest extent permitted by law, VibeBounty's aggregate liability to you shall not exceed £100.
11. Termination
We may suspend or terminate your account for breach of these Terms, particularly Sections 3 and 4. Termination does not affect any outstanding payment obligations owed to you for accepted Reports submitted prior to termination.
12. Governing Law
These Terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
13. Changes to These Terms
We may update these Terms from time to time. Material changes will be notified by email at least 14 days before they take effect. Continued use of the Platform after the effective date constitutes acceptance of the updated Terms.
14. Contact
Questions about these Terms? Email legal@vibebounty.com.