Terms & Conditions | Bug Bounty Program

Terms & Conditions

A. Program Participation Agreement

By submitting a contribution, specifically a GitHub Pull Request (“Contribution” or “Submission”), intended to address a GitHub issue tagged as part of the 3mdeb Open-Source Contribution Bounty Program (the “Program”), you (“Participant”, “You”) acknowledge and agree to be legally bound by these Terms and Conditions (“Terms”). These Terms form a binding legal agreement of a civil law nature between You and 3mdeb Sp. z o.o., ul. Piastowska 7/20A, 80-332 Gdańsk, Poland, VAT ID: PL5842812770 (“3mdeb”, “We”, “Us”).

If You do not fully agree to these Terms, You must not participate in the Program or submit any Contributions under it.

B. Participant Obligations

  1. Lawful and Ethical Conduct: You agree to conduct all activities related to this Program lawfully, ethically, and in good faith. You must comply with all applicable laws and regulations in Your jurisdiction, the jurisdiction where 3mdeb systems may be located, and the Republic of Poland.
  2. Compliance with Platform Terms: You must adhere to the terms of service and community guidelines of any platforms used in connection with the Program, including GitHub.
  3. No Harm Principle: You shall not engage in any activity that harms or attempts to harm 3mdeb, its customers, its employees, its services, its data, or its infrastructure.
  4. Prohibited activities include, but are not limited to: violating privacy, destroying or corrupting data, disrupting services (e.g., Denial of Service attacks), degrading user experience, introducing malware, or attempting unauthorized access.
  5. Scope Adherence and Testing Limitations: Your activities must be strictly limited to developing and testing Your Contribution within Your own environment and using publicly available code and documentation from the relevant 3mdeb repositories. You must not probe, scan, or test 3mdeb’s production systems, networks, or non-public infrastructure. If working on a security-related bounty issue requires testing a potential exploit, such testing must be minimal, necessary only to confirm the issue, and must cease immediately upon confirmation or if any sensitive or non-public data is encountered.
  6. Prohibited Methods: Activities such as social engineering (phishing, vishing, etc.), physical access attempts, or exploiting vulnerabilities beyond the minimum necessary for proof-of-concept (if applicable to the bounty issue) are strictly forbidden.
  7. You are expected to maintain active engagement with any task assigned to You. If there is no meaningful update or commit related to Your assigned task for a period of one (1) month, 3mdeb reserves the right to remove You as the assignee for that task. This is to ensure that tasks remain active and available for other participants if progress stalls

C. Financial Support

  1. Nature of Payment: In recognition of Your valuable open-source Contributions to the Program, 3mdeb may, at its sole discretion, provide a financial token of gratitude (hereinafter “Support Payment”). It is explicitly understood that Support Payments are not compensation for services rendered, but rather an act of support for the open-source community and a recognition of Your voluntary contribution.
  2. Eligibility for Support Payment: To be considered for a Support Payment, a Contribution must: (i) be submitted as a GitHub Pull Request; (ii) successfully address a GitHub issue tagged with bounty and a category/ difficulty tag (as defined in Exhibit A); (iii) be accepted and merged into the relevant repository’s codebase by 3mdeb maintainers; (iv) fully comply with all provisions of these Terms; and (v) meet 3mdeb’s quality and technical standards.
  3. Support Payment Amount: The amount of any Support Payment will be determined by 3mdeb in its sole discretion, within the indicative ranges specified in Exhibit A for the corresponding category of the addressed issue. The specific amount will take into consideration factors such as the complexity, effort, and impact of the Contribution.
  4. Following the merge of an eligible Contribution, 3mdeb will guide the Participant through the process of submitting an expense request via the designated 3mdeb Open-Source Collective page on Open Collective . To process this Support Payment, You must provide accurate and complete details as requested by Open Collective to facilitate the transfer of funds. This may include Your preferred payment method (e.g., bank account, PayPal, Wise, where supported by Open Collective), Your full name, address, and any tax-related information required by Open Collective for compliance purposes.
  5. Failure to provide the required information accurately and promptly may result in the inability to process the Support Payment. All Support Payments will be processed through Open Collective, and any associated fees (e.g., platform fees, payment processing fees, currency conversion fees) will be deducted by Open Collective from the gross amount.
  6. Tax Responsibility: This Support Payment is provided as a token of gratitude for Your open-source Contribution and is not considered a payment for services rendered by 3mdeb. Regardless of how You receive these funds, You acknowledge and agree that You are solely responsible for determining and fulfilling any tax obligations arising from Support Payments received in Your jurisdiction, in accordance with the tax laws of Your country of residence. 3mdeb makes no representations regarding Your tax liabilities in Your country and advises You to consult with a tax professional.
  7. Discretionary Nature: 3mdeb is under no obligation to provide a Support Payment for any Submission, even if merged, particularly if the Participant has violated these Terms, if the Submission is found to be a duplicate, or if it does not meet 3mdeb’s standards. All Support Payments are entirely discretionary.
  8. Sanctioned Countries: 3mdeb is legally obligated to comply with all applicable Polish and international sanctions. Therefore, We cannot engage in any transactions or collaborations, including Support Payments, with individuals or entities located in or affiliated with countries subject to sanctions imposed by Poland, the European Union, or other relevant authorities. By participating in this Program, You represent and warrant that You are not located in, under the control of, or a national or resident of any such sanctioned country.

D. Intellectual Property Rights

  1. Participant’s Background IP: You retain ownership of any intellectual property rights You held prior to making a Contribution (“Background IP”).
  2. Contribution Licensing: This section is critical and tailored for open-source projects. By submitting a Contribution to a specific 3mdeb repository under this Program, You affirm that You have the necessary rights to license the Contribution. You agree to license Your Contribution under the terms of the specific open-source license designated for that repository (e.g., GNU General Public License v2.0 for Dasharo/coreboot, Apache License 2.0 for Dasharo/docs, MIT License for Dasharo/meta-dts ). Your Contribution, upon acceptance, will be integrated and distributed as part of the project under that governing license. This approach ensures compliance with existing licenses, particularly copyleft licenses like the GPL, and aligns with standard open-source community practices, differing significantly from typical corporate bounty programs that often require IP assignment.
  3. Grant of License: In accordance with the applicable repository license, You grant 3mdeb and all downstream recipients of the software a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable license to use, reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Your Contribution and any derivative works based thereon.
  4. Ownership Retention: To be clear, You retain copyright ownership of Your original Contribution; You are granting license rights under the applicable open-source license, not assigning ownership to 3mdeb.
  5. Third-Party Materials: If Your Contribution incorporates any third-party code, libraries, or other materials, You are responsible for ensuring that You have the right to include such materials and that they can be licensed compatibly with the target repository’s license. You must clearly identify any such third-party components and their respective licenses within Your Contribution or PR description.
  6. You will not receive additional emoluments from the license, independent of Support Payment.

E. Use of Information / Confidentiality / Disclosure

  1. Public Nature of Submissions: You acknowledge that Contributions submitted via public GitHub Pull Requests, along with associated comments and discussions on public issues, are generally visible to the public, consistent with open-source development methodologies.
  2. Handling Confidential Information: You agree not to submit any information You consider confidential or proprietary through public GitHub channels. If You believe confidential communication regarding sensitive aspects of a security vulnerability is necessary before it is publicly resolved, You must follow the dedicated security reporting process as described in the Dasharo Security documentation , including the use of encrypted communication with the Dasharo security team PGP key available in the 3mdeb Security Pack . Unencrypted emails or public disclosure of such information may be ignored and are strictly prohibited.
  3. Responsible Disclosure of Vulnerabilities: Even if working on a bounty-tagged issue related to security, should You discover sensitive vulnerability details not yet publicly known, You agree not to disclose such details publicly or to any third party until 3mdeb has had a reasonable period (typically expected to be up to 90 days, consistent with industry practices) to investigate, remediate, and coordinate disclosure. This allows for responsible handling of security issues while acknowledging that the general development process for non-critical aspects is public. For non-security related Contributions, disclosure occurs naturally through the public PR process.
  4. Data Privacy: 3mdeb will collect and process personal data provided by You e.g., for identity verification, communication, and payment in a ccordance with its Privacy Policy and applicable data protection regulations. In particular, You acknowledge that the processing of Your personal data will be carried out in compliance with the General Data Protection Regulation (GDPR), where applicable. This includes, but is not limited to, ensuring the lawfulness, fairness, and transparency of processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality (security), and accountability. You have the right to access, rectify, erase, restrict processing, object to processing, and data portability of Your personal data, subject to the conditions and limitations set out in the GDPR.

F. Warranties and Disclaimers

  1. Participant Warranties: You represent and warrant that: (i) You have the legal right and authority to make the Contribution and grant the licenses described herein; (ii) Your Contribution is Your original work, except for any clearly identified third-party materials included in compliance with Section D.5.; and (iii) Your Contribution does not infringe upon or violate the intellectual property rights, confidentiality obligations, or any other rights of any third party.
  2. 3mdeb Disclaimer: THE PROGRAM AND ANY RELATED INFORMATION OR RESOURCES ARE PROVIDED ON AN “AS IS” AND “AS AVAILABLE” BASIS. 3MDEB EXPRESSLY DISCLAIMS ALL WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. 3MDEB DOES NOT WARRANT THAT THE PROGRAM WILL MEET YOUR REQUIREMENTS, BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, NOR DOES IT GUARANTEE THAT ANY SUBMISSION WILL BE ACCEPTED OR RESULT IN A BOUNTY PAYMENT. 3MDEB WILL MAKE REASONABLE EFFORTS TO REVIEW ALL SUBMISSIONS THAT COMPLY WITH THESE TERMS, BUT DOES NOT GUARANTEE A TIMELY REVIEW.

G. Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL 3MDEB, ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO, DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES (EVEN IF 3MDEB HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES), ARISING OUT OF OR RELATING TO YOUR PARTICIPATION IN THE PROGRAM OR THESE TERMS. 3MDEB’S TOTAL CUMULATIVE LIABILITY TO YOU ARISING FROM OR RELATED TO THE PROGRAM AND THESE TERMS, WHETHER IN CONTRACT, TORT, OR OTHERWISE, SHALL NOT EXCEED THE TOTAL AMOUNT OF BOUNTY PAYMENTS, IF ANY, PAID BY 3MDEB TO YOU UNDER THIS PROGRAM FOR THE SPECIFIC CONTRIBUTION(S) GIVING RISE TO THE CLAIM.

H. Governing Law and Dispute Resolution

  1. Governing Law: These Terms and any disputes arising out of or in connection with the Program shall be governed by and construed in accordance with the laws of the Republic of Poland, without giving effect to any principles of conflicts of law that would require the application of the laws of another jurisdiction. The United Nations Convention on Contracts for the International Sale of Goods does not apply to these Terms.
  2. Jurisdiction: You agree that any legal action or proceeding arising out of or relating to these Terms or the Program shall be brought exclusively in the competent courts located in Gdańsk, Poland. You hereby irrevocably consent to the personal jurisdiction and venue of such courts. This choice provides legal certainty for 3mdeb but participants should be aware of this specific jurisdiction requirement.

I. Program Changes and Termination

3mdeb reserves the right, in its sole discretion, to modify, suspend, or terminate only for compelling reasons the Program, or amend these Terms, in whole or in part, at any time and for any reason, without liability or prior notice. Any changes will be effective immediately upon posting of the revised Terms or other notification by 3mdeb. Your continued participation in the Program after such changes constitutes Your acceptance of the revised Terms. However, 3mdeb will strive to provide reasonable notice of any significant changes to the Program or its Terms, where reasonably possible. In the event of Program termination, 3mdeb will also endeavor to honor bounty payments for Contributions that have been accepted and merged prior to the termination date, to the extent reasonably practicable.

J. Miscellaneous

  1. Entire Agreement: These Terms constitute the entire agreement between You and 3mdeb concerning the subject matter hereof and supersede all prior or contemporaneous communications and proposals, whether electronic, oral, or written, between You and 3mdeb with respect to the Program.
  2. Severability: If any provision of these Terms is held by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if modification is not possible, severed from these Terms, and the remaining provisions shall continue in full force and effect.
  3. No Waiver: The failure of 3mdeb to exercise or enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.
  4. Relationship of the Parties: Your participation in the Program does not create any employment, agency, partnership, or joint venture relationship between You and 3mdeb. You are participating as an independent individual or entity.
  5. Assignment: You may not assign or transfer Your rights or obligations under these Terms without the prior written consent of 3mdeb. 3mdeb may assign its rights and obligations under these Terms without restriction.

Exhibit A - Bounty Reward Structure

Please note that all Support Payment amounts listed below are gross amounts. As these are discretionary Support Payments and not compensation for services, 3mdeb does not intend to withhold income tax at source. Contributors are solely responsible for determining and fulfilling any tax obligations arising from these Support Payments in their jurisdiction, based on their local tax laws.

This exhibit outlines the indicative ranges for financial support associated with different categories of Contributions to the 3mdeb Open-Source Contribution Program. The specific Support Payment amount for an eligible Contribution will be determined by 3mdeb in its sole discretion, taking into account factors such as the complexity, effort required, impact of the Contribution, and its strategic value to the project, but will fall within the ranges specified below for the corresponding tag applied to the GitHub issue.

  • Warmup (Tag: bounty-warmup): $1 - $50 USD gross Small bug fixes, straightforward documentation updates, adding minor tests. These tasks are designed to be accessible for new contributors to the program.

  • Easy (Tag: bounty-easy): $51 - $100 USD gross Issues requiring a basic understanding of the project’s architecture, involving moderate code refactoring, or implementing new, simple test suites.

  • Medium (Tag: bounty-medium): $101 - $250 USD gross Tasks that involve developing new features of moderate complexity, adding support for new hardware or software models, or debugging more intricate issues within existing functionality.

  • Hard (Tag: bounty-hard): $251 - $500+ USD gross Significant contributions such as implementing major architectural changes, redesigning core components of the system, or performing substantial low-level performance optimizations.

Contact Us

Feel free to ask if you have any questions.

Contact Us