Legal Requirements
Before reporting a vulnerability, please read and accept these legal requirements.
By signing up to participate in the SAS Vulnerability Disclosure Program (the “Program”) and/or by submitting a report hereunder, each external researcher (“You” or “Researcher”) agree to following legal requirements (the “Agreement”). You represent and warrant that you are at least eighteen (18) years of age and that you have full authority to enter into this Agreement. If you do not wish to accept the terms of this Agreement, do not sign up or participate in the Program.
- In connection with Your security research activities or other participation in the Program, You agree to comply with (1) all applicable Federal, State, and local laws and (2) all requirements and guidelines described in the Program documentation.
- You hereby represent that You have obtained the necessary approvals and consents from all third parties, including but not limited to Your employer, for the purpose of participating in the Program.
- You agree that You will not do the following without the prior written consent of SAS:
- Use in advertising, publicity, or otherwise the name of SAS or its affiliates or any trade name, trademark, trade device, service mark, symbol, or any abbreviation, contraction, or simulation thereof owned by SAS or its affiliates
- Represent, directly or indirectly, any service or work provided by You as approved or endorsed by SAS or its affiliates.
- You hereby represent and warrant that You will disclose all of the testing results found or identified by You in connection with Your security research activities or other participation in the Program (“Testing Results”) to SAS. Furthermore, You hereby assign to SAS, and agree to assign to SAS, any and all of Your Testing Results and all rights thereto. To the extent any rights in Your Testing Results are not assignable, You shall grant, and agree to grant, to SAS under any and all such rights an irrevocable, paid-up, royalty free, perpetual, exclusive, sublicensable (directly or indirectly through multiple tiers), transferable, and worldwide license to use and permit others to use such Testing Results in any manner desired by us (and/or our customers and sponsors) without restriction or accounting to you, including, without limitation, the right to make, have made, sell, offer for sale, use, rent, lease, import, copy, prepare derivative works, publicly display, publicly perform, and distribute all or any part of such Testing Results and modifications and combinations thereof and to sublicense (directly or indirectly through multiple tiers) or transfer any and all such rights. Further, You shall waive, and agree to waive, in favor of SAS any moral right or other right or claim that is contrary to the intent of a complete transfer of rights to SAS in Your Testing Results.
- You agree that any and all information acquired or accessed by You as part of Your participation in the Program, including but not limited to Your Testing Results, (the “Confidential Information”) is confidential to SAS. Before engaging in any testing or submitting findings You agree that You will (i) hold in confidence and not disclose to any third party any Confidential Information, except as approved in writing by SAS; (ii) protect such Confidential Information with at least the same degree of care that You use to protect Your own confidential information, but in no case, less than reasonable care; and (iii) immediately notify SAS upon discovery of any loss or unauthorized disclosure of the Confidential Information. You shall not copy, reproduce, sell, assign, license, market, transfer, or otherwise dispose of, give, or disclose such Confidential Information to third parties, or use such Confidential Information for any purposes other than for Your participation in the Program.
- You acknowledge and agree that any and all information You encounter while participating in the Program is owned by SAS or its third-party providers, clients, or customers. You have no rights, title, or ownership to any information You may encounter. Except for the limited use of the Information authorized in this Agreement, SAS grants You no copyright, patent, trademark, trade secret or other intellectual property rights.
- SAS may modify the terms of this Agreement or terminate the Program at any time.
- By submitting Your Testing Results, You consent to such Results being transferred to, and stored in, the United States. You further acknowledge that You have read and accepted the Terms of Use, Privacy Policy, and Disclosure Guidelines (together with this Agreement, the “Researcher Terms and Conditions.”.
- You must not test for spam, social engineering, or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not their own.
- No Testing Results or submissions may be publicly disclosed at any time by You. SAS does not publicly disclose reports at this time. If and when SAS does disclose a report, You hereby authorize us to publicize Your Testing Results, including account name. With respect to the personal information of Researchers, please refer to the SAS Privacy Policy available at https://www.sas.com/en_us/legal/privacy.html.