General Conditions
of Use.
Revision History: v2026.05
- Initial platform release framework.
- Alignment with DPDP 2023 and CERT-In 2022.
1. Introduction
Welcome to XC0MRADE, a technology-enabled vulnerability management marketplace operated by XC0MRADE Technologies Private Limited (the company, we, us, or our), incorporated under the Companies Act, 2013 with CIN U62099BR2025PTC079540.
This GCU governs your access to and use of xcomrade.tech, including related applications, APIs, and services. By creating an account, clicking I Agree, or using the services, you agree to be legally bound by this GCU and the Privacy Policy.
If you do not agree to these terms, you must stop using the platform.
2. Definitions
ASM
Attack Surface Management - continuous discovery and monitoring of an organisation's external digital assets.
BBP
Bug Bounty Programme where an organisation offers rewards for qualifying vulnerabilities in defined scope.
CERT-In
Indian Computer Emergency Response Team under Section 70B of the IT Act, 2000.
Commission
Company fee retained from reward disbursement, presently 15% to 20% [TBC], subject to notice.
Customer / Organisation
Any legal entity registered on the platform to host programmes or procure services.
DPDPA
Digital Personal Data Protection Act, 2023, including applicable rules and directions.
Escrow Wallet
Platform ledger account holding organisation funds pending researcher disbursement.
GCU
These General Conditions of Use, as amended from time to time.
KYB
Know Your Business verification for organisations, including CIN/GST and bank validation.
KYC
Know Your Customer verification for researchers, including Aadhaar/PAN/bank validation.
MFA
Multi-factor authentication using TOTP or email OTP for account login security.
Out-of-Scope Testing
Any testing against assets not explicitly listed in the programme scope.
P-Tier
Three-level reputation system (P3, P2, P1) based on Sketch Score and conduct.
Platform
xcomrade.tech infrastructure, software, APIs, dashboards, and associated services.
Programme
Any BBP, VDP, or PTM engagement hosted through the platform.
PTM
Penetration Test Management service for structured tests by vetted researchers.
Qualifying Vulnerability
In-scope, reproducible, non-duplicate vulnerability meeting programme thresholds.
Report
Submission by a researcher containing technical details, PoC, impact, and remediation.
Reward
Monetary or non-monetary consideration offered for accepted qualifying reports.
Safe Harbour
Legal protection for authorised, in-scope testing as per Section 12 of this GCU.
Scope
Specific systems, applications, IP ranges, and parameters defined by organisation.
Security Researcher
Independent individual registered to discover and responsibly disclose vulnerabilities.
Sketch Score
Reputation score calculated as per Schedule A points and deductions.
Sketcher
Platform visual tool for exploit-chain diagrams attached to reports.
VDP
Vulnerability Disclosure Programme with responsible disclosure but no reward obligation.
Wallet
Researcher wallet tracking reward credits, deductions, and payout status.
zerod
Platform learning module for CTFs, educational paths, and skill development.
3. Eligibility and User Status
3.1 Age Requirement
Platform usage is restricted to individuals at least 18 years of age.
3.2 Independent Contractor Status
Security Researchers are independent contractors, not employees, agents, or partners of the company.
3.3 Organisation Eligibility
Organisations must be valid legal entities and authorised representatives must have authority to bind them to this GCU.
3.4 Restrictions
- Users from sanctioned jurisdictions are prohibited.
- Users convicted for serious cyber offences may be denied access.
- The company may apply geo-restriction controls for compliance.
4. Registration and Account Management
4.1 Account Creation and Roles
Users must provide accurate information. Roles include Security Researcher, Organisation, Verifier, Admin, and Superadmin.
4.2 MFA Requirement
MFA (TOTP or email OTP) must be enabled within 72 hours of registration.
4.3 KYC for Researchers
- Aadhaar OTP-based verification where legally permitted.
- PAN validation for tax compliance.
- Bank account verification for payouts.
- Additional checks required by applicable AML/PMLA obligations.
4.4 KYB for Organisations
- GSTIN or CIN verification.
- Authorised signatory validation.
- Bank account validation for escrow funding.
- Organisational PAN documentation where required.
5. Services Offered
Bug Bounty (BBP)
Organisation-run programmes with rewards for qualifying vulnerabilities.
Disclosure (VDP)
Non-monetary disclosure channel with recognition and reputation impacts.
PTM
Managed penetration testing engagements under separate statements of work.
ASM
Continuous external attack surface monitoring for subscribed organisations.
zerod
Learning and CTF module for capability growth and community participation.
Sketcher
Diagramming tool for exploit chain visuals attached to reports.
6. Researcher Obligations
6.1 Authorised Testing Only
Testing must remain strictly inside programme scope.
6.2 Prohibited Conduct
- Data exfiltration beyond minimal proof.
- DoS/DDoS activity.
- Social engineering unless explicitly authorised in writing.
- Testing unlisted third-party or partner assets.
- Public disclosure before permitted coordinated timeline.
- Account abuse, platform abuse, or severity manipulation.
6.3 Coordinated Disclosure
| Period | Description |
|---|---|
| Day 0 | Report submitted via platform |
| Day 1-3 | Initial triage by verifier |
| Day 4-7 | Organisation notified; acknowledgement required |
| Day 8-30 | Organisation remediation window |
| Day 31-90 | Extended remediation for complex/critical issues |
| Day 91+ | Researcher may request disclosure with company approval |
7. Intellectual Property
7.1 Platform IP
All platform software, tooling, branding, and proprietary systems are company intellectual property.
7.2 Report Licence
Accepted reports grant organisations a non-exclusive, irrevocable, perpetual, worldwide, royalty-free licence for remediation and security improvement purposes.
7.4 Research Graph
De-identified aggregate vulnerability pattern outputs are owned by the company.
8. Financial Conditions
8.2 Commission
Platform commission applies per programme terms, currently 15% to 20% [TBC] where applicable.
8.3 Wallet and Payouts
- Accepted credits are held pending verification and KYC.
- Payout target processing: 5 to 7 business days after approval.
- Minimum payout threshold: INR 500 [TBC].
- Fraud/compliance review may delay or withhold payouts.
8.4 Tax and TDS
TDS may be deducted as applicable law requires. Rates and treatment are subject to statutory requirements.
9. Confidentiality
9.1 Researcher Obligations
- Do not disclose programme or report content without authorisation.
- Use confidential information only for permitted programme activity.
- Return or delete confidential information when required.
10. Personal Data and Privacy
10.2 Data Categories
| Category | Examples | Legal Basis (DPDPA) |
|---|---|---|
| Identity Data | Name, Aadhaar token, PAN, selfie | Consent; Legitimate Use |
| Contact Data | Email, phone, address | Consent |
| Financial Data | Bank account, UPI ID, TDS records | Legal Obligation |
| Technical Data | IP address, logs, device info | Legitimate Use |
| Usage Data | Reports, zerod activity, actions | Legitimate Use |
| KYC/KYB Documents | CIN, GST, board resolution | Legal Obligation |
| Communications | Support tickets, legal appeals | Consent / Legitimate Use |
10.4 Retention Schedule
| Data Category | Retention | Basis |
|---|---|---|
| KYC/KYB Documents | 5 years after closure | PMLA requirements |
| Financial and TDS Records | 7 years | Income tax requirements |
| Security Logs | 180 days rolling | CERT-In directions |
| Accepted Reports | As required by law or contract | Compliance obligations |
| General Account Data | Account duration + 2 years | Legitimate use |
| Support Communications | 3 years | Business purpose |
11. Limitation of Liability
To the maximum extent permitted by law, liability is limited as specified in this GCU and applicable law. Indirect, incidental, consequential, or special damages are excluded to the extent legally permitted.
12. Safe Harbour
Programme scope authorisation is a legal consent instrument for permitted testing. Safe Harbour applies only to authorised, in-scope testing and does not protect out-of-scope actions.
CRITICAL: Out-of-scope testing is not protected and may create civil and criminal exposure under applicable law.
14. P-Tier Reputation System
| Tier | Label | Sketch Score | Benefits |
|---|---|---|---|
| P3 | Newcomer | 0-499 | Public programmes; core features |
| P2 | Trusted | 500-1,999 | Private programmes; priority verifier flow |
| P1 | Elite | 2,000+ | PTM eligibility; advanced trust features |
Schedule A - Sketch Score
| Activity | Points | Notes |
|---|---|---|
| Critical Severity Report Accepted | +500 | Verifier + admin confirmation |
| High Severity Report Accepted | +200 | Verifier confirmation |
| Medium Severity Report Accepted | +100 | Standard verifier review |
| Low Severity Report Accepted | +30 | Standard review |
| Informational Report Accepted | +10 | Standard review |
| Sketch submitted with accepted report | +20 | Linked accepted report required |
| First blood in programme | +100 | First valid submission |
| CVE assignment for reported issue | +150 | Verified CVE required |
| CTF challenge completed | +15 / +40 / +100 | Per unique challenge |
| Skill badge earned | +50 | Per badge |
| Community learning module completed | +25 | Per completion |
| Duplicate report | -10 | Deduction rule applies |
| Out-of-scope report (unintentional) | -25 | Admin discretion |
| Low-quality insufficient report | -15 | Verifier reviewed |
| Confirmed fraudulent report | -500 | Human review required |
| Confirmed out-of-scope testing | -1000 | Human review; suspension risk |
| Breach of confidentiality | -2000 | Human review required |
| 10 accepted reports milestone | +200 | Cumulative milestone |
| 50 accepted reports milestone | +500 | Cumulative milestone |
| P2 tier attained | +100 | Upgrade bonus |
| P1 tier attained | +300 | Upgrade bonus |
Schedule B - Ethics Certification
Every security researcher certifies at programme enrolment:
- Testing is restricted to authorised scope only.
- No data exfiltration beyond minimum proof requirements.
- No destructive or disruptive activity (including DoS).
- Responsible disclosure via platform before any external disclosure.
- Strict confidentiality obligations are observed.
- Compliance with applicable law and platform policy.
- No undisclosed conflict of interest.
- Tax and payout compliance responsibilities are accepted.
- Submitted reports are accurate and non-fraudulent.
- No attempt to manipulate platform systems or reputation scoring.