Bug bounty program terms
Version:
R25|03
Last updated:
June 27, 2024
Table of contents
Here, you will find the terms and conditions that relate specifically to our Bug Bounty Program Participants. These terms should be read in conjunction with the General Terms for Business Partners (the “General Terms”). Any defined terms used in these Bug Bounty Program Terms shall have the meaning given to them in the General Terms.
1. Introduction
1.1. These terms cover your voluntary participation in Deriv’s bug bounty program, which incentivises participants to discover and report vulnerabilities or bugs in Deriv’s software system or networks in exchange for a financial reward (the “Program”). By reporting a vulnerability related to any of the Deriv-owned web services to us or otherwise participating in the Program, you acknowledge that you have read and agreed to these terms.
1.2. You acknowledge that the Program is not a competition but rather an experimental and discretionary rewards program.
2. Scope
2.1. The scope of the Program is specified in detail on the Program webpage. If you aren’t sure whether some content falls within the scope of this Program, send an email to [email protected] to check before making any testing attempts.
3. Eligible participants
3.1. You cannot participate in the Program if:
3.1.1. Your employer or the organisation you work for does not allow you to participate in these types of programs;
3.1.2. You are or have been employed by us or any of our group companies;
3.1.3. You are an immediate family member of an employee or a former employee of ours or any of our group companies.
3.2. If we know or have reason to suspect that you meet any of the above criteria, we reserve the right to disqualify you from the Program and rescind any bounty payments to you.
4. Potential rewards
4.1. We reserve the right to determine if the submitted vulnerability report is eligible for a reward. The decision as to whether or not to pay a reward is entirely at our discretion.
4.2. All of our determinations as to the amount of a bounty are final.
4.3. Bounty ranges are based on the classification and sensitivity of the impacted data, ease of exploitation, and overall risk to our clients and brand if the reported vulnerability is determined to be a valid security issue by our Security team.
5. Bug submission requirements
5.1. Your submission needs to follow the guidelines below:
5.1.1. Give a full description of the vulnerability you are reporting, including the exploitability and impact.
5.1.2. Present evidence and explanation of all the required steps for reproducing the submission, which may include:
5.1.2.1. Videos;
5.1.2.2. Screenshots;
5.1.2.3. Exploit code;
5.1.2.4. Traffic logs;
5.1.2.5. Web/API requests and responses;
5.1.2.6. Email address or user ID of any test accounts; and/or
5.1.2.7. IP address used during testing.
5.2. Failure to include any of the above items may delay or jeopardise a bounty payment.
6. Sensitive information disclosure
6.1. You agree not to discuss discovered vulnerabilities (even resolved ones) outside the Program without our written consent.
6.2. You undertake to follow Deriv’s disclosure guidelines. If you believe you have discovered a security vulnerability, please report it with a thorough explanation of the vulnerability in compliance with the submission guidelines set out in Clause 5 above.
7. Licence
7.1. You hereby grant us a royalty-free, fully paid-up, perpetual, non-revocable, exclusive, worldwide, transferable, and sub-licensable licence in respect of any report and any feedback you provide us. You agree that we have unrestricted rights to utilise the report and feedback. We reserve the right to not utilise any or all items you provide us. You waive any compensation for the incorporation of any materials in a report or any feedback that you provide us regarding our products and services.
7.2. You also understand and acknowledge that we may have developed or commissioned materials similar or identical to the submission and waive claims you may have resulting from any similarities to the submission. You understand that you are not guaranteed any compensation or credit for the use of the submission.
7.3. You present and warrant that your submission is your own work, you have not used information owned by another person or entity, and you have the legal rights to grant us the licence in this Clause 7.
8. Your obligations
8.1. You must not participate in the Program unless in doing so, you comply with all applicable laws, rules, and regulations. You are responsible for familiarising yourself with your local laws and following them, as they may place additional restrictions on your participation in the Program.
8.2. You are responsible for any tax implications in relation to your participation in the Program, which will depend on your country of residence and citizenship.
8.3. Your testing must not disrupt or compromise any data that is not your own.
8.4. You must not share any inappropriate content or material.
8.5. You must not infringe upon the rights of any third party or engage in any activity that violates the privacy of others.
8.6. You must not engage in any activity that is harmful to us, the Program, or others (including transmitting viruses).
1. Introduction
This guide is designed to help you promote Deriv effectively and ethically. By following these rules, you can build trust with your clients and represent Deriv’s values. Please read this guide carefully. If you don’t follow these rules, we may have to end our partnership. If you have questions or need help, please contact your Account Manager.
2. Branding guidelines
Always display the phrase “Powered by” above or before the Deriv logo on your website and in any mobile apps you create.
Clearly communicate your relationship with Deriv. Use phrases like “in partnership with Deriv” and “in association with Deriv” or introduce yourself as Deriv Affiliate.
You are not allowed to create groups or channels using Deriv’s name and logo. On your website and platforms, you cannot:
- Copy entire blocks of content from the Deriv website.
- Mention Deriv regulations and regulator details.
- Use Deriv employee details or images from the Deriv website.
3. Creating your online presence
Keep your own style. Avoid using the same colour scheme as Deriv or names that look like or sound like Deriv.
Develop your unique online presence as a Deriv partner. This can be through your own website or engaging social media platforms. For example, you can create videos that guide clients on how to get started with Deriv or how to trade.
Ensure your social media handles and website domains are unique.
Never use or include the company name Deriv in your user handle.
4. Marketing and advertising standards
Before promoting Deriv through paid ads on platforms like Facebook or Google, submit a request to your Account Manager or via email at [email protected]. Include the ad copy, creative materials (videos/images), keywords, and the destination page.
Do not bid on branded keywords in paid search engine campaigns (e.g., Google and Bing).
Keywords not allowed: deriv, deriv app, deriv broker, dtrader, deriv trading, deriv live account, deriv trader, deriv virtual account, bot trading deriv, deriv.com, www.deriv.com, deriv.com login, deriv mt5 trading, automated trading deriv, deriv register, deriv cfd trading, automated trading deriv.
- Use the marketing materials available on your affiliate dashboard to promote Deriv. If you wish to create your own marketing materials, make sure to use appropriate risk warnings.
- Do not overwrite, edit, or tamper with the marketing materials provided by Deriv. Nothing should be blurred out, and the font should be kept the same.
5. Promotional practices
- Plan your promotion campaigns carefully so your posts do not appear as spam.
- Avoid spamming social media platforms, groups, emails, or websites with your affiliate link.
- Promote Deriv appropriately on legitimate social media platforms like YouTube, Facebook, Instagram, X, and Telegram.
- Do not use pop-up ads or promotions on illegal websites to advertise your affiliate link.
6. Communication and transparency
Clearly define the services you are promoting. Make sure it’s evident that you are endorsing a trading platform and not a casino or get-rich-quick scheme. For example, you cannot represent Deriv or its products and services as:
- A luxury product
- An easy money platform
- An investment opportunity
- Anything that guarantees income or profit
Include the following risk disclaimer in a prominent position (either on your website’s header or footer, in a readable font and font size):
- “Deriv offers complex products, including Options and CFDs, which carry significant risks. Trading CFDs involves leverage, which can amplify both profits and losses, potentially leading to the loss of your entire investment. Trade only with money you can afford to lose and never borrow to trade. Understand the risks before trading.”
Include the following risk disclaimer on your social media profiles and position it as a banner image, in the bio, or as a pinned post:
- “Deriv offers complex products (Options, CFDs) with substantial risk. You could lose your entire investment. Trade responsibly and understand the risks.”
Always add one of the following risk disclaimers to your Deriv-related social media posts:
- “Trading is risky.”
- “Your capital is at risk. Not investment advice.”
7. Respecting privacy
- Always obtain permission before taking photos or videos featuring Deriv staff at any events.
- Never share event photos, videos, or recorded calls involving Deriv staff without explicit written permission.
8. Conclusion
Following these guidelines will help you build a reputable online presence as a Deriv affiliate, fostering trust among your clients and enhancing your promotional efforts. Our partnership thrives on mutual respect and adherence to these standards. If you have any questions or need help, don’t hesitate to reach out to your Account Manager.