Code4rena is an open organization committed to improving the security of decentralized protocols while protecting the information of our sponsors and participants. This policy is intended to provide C4 Wardens (security researchers) clear guidelines for participating in code audits while conducting vulnerability discovery activities. This policy forms a binding agreement between C4 and You. By participating in code audits You agree to abide by this and any other applicable C4 policies.

The following policy conveys C4’s preferences in how to submit discovered vulnerabilities to the organization and describes what systems and types of research are covered under this policy, how to share vulnerability reports, and the length of time we expect Wardens to wait prior to publicly disclosing vulnerabilities.

Reports can be submitted at any point prior to stop time for a given audit. The details for each code audit can be found through the Code4rena website.

All community members agree to be bound by the Code4rena Code of Conduct, which can be viewed in the Code4rena Discord.

Audit contest guidelines

Under this policy, audit contests covers activities in which you:

• Register as a C4 Warden within an individual capacity or as part of a team.

• Submit your bug report using the submission form.

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data, especially in regard to funds.

• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise funds, exfiltrate data, establish persistent permissioning access, or use the exploit to redirect to other systems.

• Wait until the audit report has been published before you disclose any findings or submissions publicly.

• Do not submit a high volume of low-quality reports.

In the event that you encounter a critical vulnerability that the sponsor project would want to know about, even before the end of the audit, please refer to "How to submit Zero-day or otherwise highly sensitive bugs."

Without explicit permission from Code4rena staff, publishing or discussing findings publicly prior to report publication is grounds for immediate forfeit of award and disqualification from any future C4 events and activities.

Unauthorized test methods

The following methods are not authorized means of testing within C4 code audits:

• Testing exploits on deployed contracts or systems.

• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.

• Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing.

Intellectual Property

Unless otherwise specified in the contest's repo, You hereby grant a Creative Commons 0 1.0 license (details here) to any Background IP included in any findings, work product, or other deliverable provided to C4. “Background IP” includes any intellectual property that (i) was developed prior to relevant Opportunity; (ii) was developed after the start of the relevant Opportunity but is outside the scope of the services; (iii) was developed after the conclusion of the relevant Opportunity but has generic applicability; or (iv) derived from or relating to the Background IP. Notwithstanding the forgoing, with the exception of source code that is provided for the purposes of demonstrating a Finding, Background IP does not include source code.

Representations and Warranties

You hereby makes the following representations and warranties:

a. Authority: You represent and warrant that You have full power and authority to agree to these terms. b. Compliance with Sanctions Laws: Neither You nor, if applicable, any of Your affiliates or direct or indirect beneficial owners; (i) appear on the Specially Designated Nationals and Blocked Persons List ("SDN List") of the Office of Foreign Assets Control of the United States Department of the Treasury ("OFAC"), nor are You otherwise a party with which C4 is prohibited to deal under the laws of the United States; (ii) are located in, or organized under the laws of a country or region subject to sanctions by OFAC, which, as of the posting of these terms include Crimea, Cuba, North Korea, Iran, and Syria; (iii) are a person identified as a terrorist organization on any other relevant lists maintained by any Governmental Authority; or (iv) unless otherwise disclosed in writing to C4 prior to the date of a relevant Contest, are a senior foreign political figure, or any immediate family member or close associate of a senior foreign political figure (collectively "Prohibited Persons"). You further represent and warrant that, if a legal entity, You: (x) have conducted thorough due diligence with respect to all of Your beneficial owners; (y) have established the identities of all direct and indirect beneficial owners and the source of each beneficial owners' funds; and (z) will retain evidence of those identities, any source of funds and any due diligence. Finally, You are not acting on behalf of any Prohibited Person. c. Sub-Contracting: You will not subcontract or delegate any services subject to these terms to any other person or entity; including without limitation any individual or entity under contract with You as an independent contractor or similar.

Indemnification

You shall defend indemnify and hold harmless C4 and C4's Agent, including each of their affiliates, and each of their respective officers, directors, shareholders, employees, representatives, agents, C4 and its members, Participants, and all successors and assigns ("C4 Indemnitees") from and against any loss, damage or costs (including reasonable attorneys' fees) incurred in connection with claims, demands, suits, or proceedings ("Claims") made or brought against one or more C4 Indemnitee by a third party to the extent arising out of (a) Your negligence or willful misconduct; (b) a breach by You of this Policy, or (c) Your use of intellectual property owned by a third party or licensed by You from a third party.

Limitation of Liability

THE CUMULATIVE LIABILITY OF C4 AND ITS SUBSIDIARIES, AFFILIATES, OFFICERS, EMPLOYEES, AGENTS (INCLUDING BUT NOT LIMITED TO C4'S AGENT), PARTNERS AND LICENSORS TO THE CERTIFIED CONTRIBUTOR FOR ACTIVITIES UNDERTAKEN AS A CERTIFIED CONTRIBUTOR IS LIMITED TO THE AMOUNTS PAID TO CERTIFIED CONTRIBUTOR IN THE TWELVE (12) MONTH PERIOD PRECEDING THE CLAIM. IN NO EVENT SHALL C4 BE LIABLE FOR ANY SPECIAL, INDIRECT, INCIDENTAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES, WHETHER OR NOT FORESEEABLE AND HOWEVER ARISING. THIS LIMITATION SHALL APPLY BUT NOT BE LIMITED TO LOST INCOME, REVENUE, GOODWILL, USE, OR OTHER INTANGIBLE LOSSES. IT WILL ALSO APPLY IRRESPECTIVE OF WHETHER THE LIABILITY ARISES UNDER CONTRACT, TORT, OR ANY OTHER THEORY.

Miscellaneous

a. Relationship: C4 and You shall be and act independently. This Policy shall not be construed to create a partnership, joint venture, agent, employee, or employer relationship between the Parties. You do not have authority to assume or create obligations on behalf of C4, and any attempt by You to do so shall be null and void and without any force or effect. b. Assignment: Your status and any rights, agreements or obligations thereunder may not be assigned by You by operation of law, merger or otherwise, and any purported assignment by You will be null and void. c. Severability: In the case that any provision of these terms is held to be invalid or unenforceable, it will be enforced to the extent permitted by applicable law, and the remaining provisions of these terms shall remain in full force and effect. d. Interpretation: No presumption against C4 shall be applied to the construction or interpretation of these terms. Any rights not expressly granted herein by a Party are reserved. e. Waiver: The failure of C4 or You to exercise or delay in exercising any right, power or privilege under this Policy shall not operate as a waiver; nor shall any single or partial exercise of any right, power or privilege preclude any other or further exercise thereof. f. Choice of Law; Submission to Jurisdiction: This Policy, and all claims or causes of action (whether in contract, tort or statute), shall be governed by and enforced in accordance with the laws of Washington state without regard to its conflict of law provisions. C4 and You each submit to the personal jurisdiction of the appropriate courts sitting in Washington state. C4 and You waive, to the fullest extent permitted by law, any objection that it may now or in the future have to venue of a proceeding brought in such a court and any claim that the proceeding was brought in an inconvenient forum. g. Notices: Any notice, payment, demand or communication required or permitted to be delivered or given by hereunder shall be deemed to have been effectively delivered or given and received on the date personally delivered to the respective Party to whom it is directed, or when sent via electronic mail to the Parties at the respective electronic mail addresses provided by each. h. Survival: Intellectual Property, Representations and Warranties, Indemnification, Limitation of Liability, and Miscellaneous(f) sections shall survive the termination of this Policy. i. Entire Agreement: This Policy, together with any documents referenced or incorporated by reference, shall constitute the entire agreement between C4 and You regarding the subject matter hereof and supersedes all prior agreements, proposals and prior discussions and writings between the Parties with respect thereto.

Authorization

If you make a good faith effort to comply with this policy during your security research, C4, its affiliates, and sponsors will consider your research to be authorized.

The C4 community will work with you to understand and resolve any issues quickly, and C4, its affiliates, and sponsors will not recommend or pursue legal action related to your research.

Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, C4 will make this authorization known.

Questions

Questions regarding this policy can be addressed in the #questions channel on the C4 Discord. We also invite you to contact us with suggestions for improving this policy.