0MRADE

xc0mrade@root

Loading0%

0MRADE

xc0mrade@root

Loading0%

Legal Framework

GENERAL CONDITIONS OF USE

Xc0mrade Technologies Private Limited — Version 1.0

Effective Date: April 3, 2026|CIN: U62099BR2025PTC079540

These General Conditions of Use ("GCU") govern the relationship between Xc0mrade Technologies Private Limited, a company incorporated under the Companies Act, 2013 with CIN U62099BR2025PTC079540, having its registered office in Bihar, India ("Xc0mrade" or the "Company") and any individual or entity registering on the Company's platform accessible at https://xc0mrade.com (the "Platform").

The Platform is a multi-sided vulnerability marketplace that enables organizations to discover security vulnerabilities in their digital assets through structured programs offered by Security Researchers. The Platform provides five (5) types of services: (i) Bug Bounty Programs, (ii) Vulnerability Disclosure Programs (VDP), (iii) Penetration Test Management (PTM), (iv) Attack Surface Management (ASM), and (v) Community Learning and Skill Development (zerod). Together these are referred to as the "Services".

By registering on or using the Platform, you unconditionally accept these GCU. If you do not agree, do not use the Platform.

1. DEFINITIONS

Capitalized terms used herein shall have the meanings assigned below:

"Bug Bounty Program" means a program created by a Customer to invite Security Researchers to test its Systems in exchange for monetary Rewards upon submission of valid Vulnerability Reports.
"Customer" means any company, organization, startup, or government entity subscribing to the Platform's Services.
"Customer User" means any individual authorized by a Customer to manage its Programs, triage reports, and approve payouts on the Platform.
"zerod" means the Platform's integrated community learning module offering CTF challenges, training content, certification pathways, and skill development resources.
"KYC" means Know Your Customer verification as required under applicable Indian financial regulations including PMLA 2002 and RBI guidelines.
"Platform" means the Xc0mrade web application, APIs, mobile applications, and all related digital infrastructure accessible at xc0mrade.com.
"Program" means a Bug Bounty Program, VDP, Featured VDP, PTM engagement, or ASM subscription created and managed by a Customer on the Platform.
"Reward" means the financial payment issued by a Customer to a Security Researcher for a valid, accepted Vulnerability Report submitted under a Bug Bounty Program.
"Safe Harbor" means the express written authorization granted by a Customer through their Program scope, confirming that Security Researchers operating within defined boundaries are authorized to conduct security testing and shall not face legal action.
"Security Researcher" means any independent individual or entity registered on the Platform who discovers and reports Vulnerabilities, whether or not in exchange for a Reward.
"Sketch" means the structured JSON and PNG-format visual representation of a vulnerability exploit chain created using the Platform's integrated Sketcher tool.
"Sketch Score (SS)" means the composite reputation metric assigned to each Security Researcher based on report quality, severity, reproducibility, and community contributions.
"Sketcher" means the Platform's proprietary attack chain visualization tool enabling Security Researchers to document exploit flows as structured, machine-readable data.
"System" means any IT infrastructure, web application, API, mobile application, cloud service, or connected device designated by a Customer as in-scope for testing.
"User" means any individual or entity with a registered account on the Platform, including Customer Users and Security Researchers.
"VDP" means a Vulnerability Disclosure Program, a structured channel enabling Security Researchers to report Vulnerabilities without monetary compensation.
"Vulnerability" means any security flaw, bug, misconfiguration, or weakness in a Customer's System that individually or cumulatively impacts its security or functionality.
"Vulnerability Report" means a structured document submitted by a Security Researcher on the Platform describing a discovered Vulnerability, including technical details, impact assessment, reproduction steps, and where applicable, a Sketch.
"Wallet" means the virtual payment account maintained on the Platform for the deposit, storage, and disbursement of Rewards to Security Researchers, managed through the Platform's authorized Payment Service Provider (PSP).

2. ELIGIBILITY AND USER STATUS

2.1 Age and Legal Capacity

Registration on the Platform is restricted to individuals who have attained the age of majority (18 years or older) under the applicable laws of their country of residence. By registering, you represent and warrant that you meet this requirement. The Company reserves the right to request proof of age at any time.

2.2 Independence of Security Researchers

Security Researchers are independent individuals or entities. Nothing in these GCU creates or shall be construed to create any employer-employee relationship, agency, partnership, joint venture, or any other form of association between the Company and a Security Researcher. Security Researchers are solely responsible for their own tax obligations, social security contributions, professional registrations, and compliance with applicable Indian and international laws.

2.3 Authority of Customer Users

Individuals accessing the Platform on behalf of a Customer represent and warrant that they have full authority to bind the Customer to these GCU. All actions taken by Customer Users on the Platform are deemed to be actions of the Customer itself.

2.4 Conflict of Interest

Security Researchers must proactively disclose and avoid conflicts of interest with Customers whose Programs they participate in. Conflicts include but are not limited to: (i) current or former employment with the Customer within 12 months; (ii) holding a financial interest in the Customer; (iii) being a contractor or vendor of the Customer. Participation in a Program where a conflict exists is prohibited unless expressly authorized in writing by the Customer.

3. REGISTRATION AND ACCOUNT MANAGEMENT

3.1 Account Creation

To access the Services, Users must complete the registration process on the Platform by providing accurate, complete, and current information. Users must select their account type at registration: Security Researcher or Organization. Additional role types (Mentor, ECS Reviewer, Vendor, Admin) are assigned by the Company.

3.2 Account Security

Users are solely responsible for maintaining the confidentiality of their login credentials. Any activity occurring under a User's account is deemed to be the User's own action. Users must immediately notify the Company at security@xc0mrade.com upon discovering any unauthorized access to or use of their account.

3.3 KYC Verification

Security Researchers wishing to receive monetary rewards must complete KYC verification as mandated by Indian financial regulations including the Prevention of Money Laundering Act (PMLA), 2002 and applicable RBI guidelines. KYC verification requires submission of government-issued photo identification, proof of address, and applicable tax documentation (PAN card for Indian residents). Payouts are strictly suspended until KYC is verified and marked as "KYC Verified" on the Platform.

3.4 Account Suspension and Termination

The Company reserves the right to suspend or permanently terminate any User account for: (i) violation of these GCU; (ii) suspected or confirmed fraudulent activity; (iii) submission of false or misleading information; (iv) actions that compromise Platform security or integrity; (v) conduct harmful to Customers, other Users, or the Company. Termination is without prejudice to the Company's right to seek damages.

4. SERVICES

4.1 Bug Bounty Programs

Bug Bounty Programs enable Customers to invite Security Researchers (publicly or privately) to test designated Systems in exchange for monetary Rewards. Security Researchers participating in Bug Bounty Programs acknowledge that:

Testing must be strictly limited to in-scope assets defined in the Program.
Rewards are determined solely by the Customer based on severity and validity of the Vulnerability Report.
The Platform's P-Tier system (P3, P2, P1) governs access to private and high-value programs based on Sketch Score.
The Sketch Score is updated automatically based on report outcomes as defined in Schedule A.

4.2 Vulnerability Disclosure Programs (VDP)

VDPs are non-monetary programs enabling Security Researchers to responsibly report Vulnerabilities to organizations. VDP participants receive no financial Reward and do not earn Sketch Score ranking points. Participation demonstrates good faith security research and supports the broader cybersecurity community.

4.3 Penetration Test Management (PTM)

PTM services allow Customers to manage structured penetration testing engagements through the Platform. Security Researchers participating in PTM engagements operate under a separate written agreement with the Customer and are subject to stricter confidentiality and scope requirements. PTM participants may be subject to background verification at the Company's discretion.

4.4 Attack Surface Management (ASM)

ASM is a Customer-facing continuous monitoring service. ASM findings are generated through automated scanning and must be validated by Customer Users before they are classified as confirmed Vulnerabilities. Security Researchers are not directly involved in ASM delivery.

4.5 zerod — Community Learning Platform

The zerod module provides Security Researchers with access to: (i) Capture The Flag (CTF) challenges; (ii) structured certification pathways; (iii) anonymized vulnerability case studies; (iv) mentorship programs. Participation in zerod activities contributes to a Researcher's Sketch Score through achievement of defined milestones. zerod content is the intellectual property of the Company and may not be reproduced or distributed without written permission.

4.6 Sketcher Tool

The Sketcher is the Platform's proprietary tool for creating structured visual representations of vulnerability exploit chains. By submitting a Sketch as part of a Vulnerability Report, the Security Researcher:

Grants the Customer a non-exclusive, perpetual license to use the Sketch for internal security remediation purposes.
Acknowledges that the JSON payload and PNG export generated by the Sketcher become part of the Vulnerability Report and are subject to the IP assignment provisions in Section 6.
Represents that the Sketch accurately depicts the documented vulnerability and does not contain fabricated or misleading information.

5. SECURITY RESEARCHER OBLIGATIONS

5.1 Authorized Testing

Security Researchers may only conduct Tests on Systems expressly listed as in-scope in an active Program. The Customer's Program rules, read together with these GCU, constitute the binding Safe Harbor authorization for testing. Any testing conducted outside defined scope may constitute an offence under Section 66 of the Information Technology Act, 2000 and could result in civil or criminal liability.

5.2 Prohibited Conduct

Security Researchers must not, under any circumstances:

Conduct or attempt Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks against any System.
Access, exfiltrate, modify, or destroy data beyond what is strictly necessary to demonstrate the existence of a Vulnerability.
Engage in social engineering, phishing, or physical attacks against Customer employees, contractors, or third parties.
Access systems, accounts, or data belonging to any individual or entity other than test accounts expressly provided by the Customer.
Demand payment or threaten public disclosure as a condition for providing Vulnerability information (extortion).
Disclose any Vulnerability or Vulnerability Report to any third party, media outlet, or on social media without prior written approval from the Customer and the Company.
Use discovered Vulnerabilities for personal gain beyond the Program's Reward structure.
Submit knowingly false, fabricated, or duplicate reports.
Violate any applicable Indian or international law in connection with security testing.

5.3 Responsible Disclosure

Upon discovering a Vulnerability, Security Researchers must submit the Vulnerability Report through the Platform within a reasonable timeframe. Disclosure timelines are governed by the Program rules and must not exceed the Customer's defined remediation period. Where no timeline is specified, the Company's default disclosure policy of 90 days from report acknowledgment applies.

5.4 Evidence and Report Quality

High-quality Vulnerability Reports must include: (i) a clear, descriptive title; (ii) the affected target or endpoint; (iii) the Security Researcher's severity assessment with CVSS justification; (iv) a detailed description of the Vulnerability; (v) quantified impact assessment; (vi) step-by-step reproduction instructions; and (vii) where applicable, a Sketcher-generated visual exploit chain. Low-quality, non-reproducible, or incomplete reports will result in Sketch Score deductions as per Schedule A.

6. INTELLECTUAL PROPERTY

6.1 Platform IP

The Company retains all intellectual property rights in the Platform, including but not limited to the Sketcher tool, Sketch Score algorithm, P-Tier system, zerod content, software, code, UI/UX design, databases, trademarks, and all proprietary methodologies. Users may not reproduce, adapt, distribute, or create derivative works from any Platform materials without prior written consent.

6.2 Vulnerability Report IP Assignment

Upon acceptance of a Vulnerability Report and payment of the associated Reward, the Security Researcher grants the Customer a non-exclusive, worldwide, perpetual, royalty-free license to use the Vulnerability Report (including reproduction steps and supporting materials) for internal security remediation, verification, audit, and compliance purposes.

The Security Researcher warrants that: (i) they are the sole author of the Report; (ii) the Report does not infringe any third-party rights; and (iii) the Report does not contain any open-source, third-party, or pre-existing IP without appropriate disclosure.

For clarity: assignment of rights applies only to the specific Sketch artifact generated and submitted for that accepted report. The underlying security know-how, methodology, and general research techniques remain with the Security Researcher.

6.3 Platform Data

Aggregated, anonymized, and statistical data generated through Platform usage, including Sketch Score data, program metrics, and vulnerability trends, is the exclusive property of the Company. Users have no ownership rights in Platform Data and may not extract, scrape, or reproduce it without written permission.

7. FINANCIAL CONDITIONS

7.1 Rewards

Rewards are determined solely by the Customer based on the severity of the Vulnerability (as agreed between the Customer and Security Researcher) and the Program's reward table. The Company acts strictly as an intermediary and payment facilitator and is not liable for the non-payment, under-payment, or dispute of any Reward.

7.2 Platform Commission

The Company charges a platform commission on each Reward paid through the Platform. The commission rate applicable to each Program type is specified in the Customer's subscription agreement. Commissions are charged to the Customer as an overhead and are not deducted from the Security Researcher's Reward unless explicitly stated in the Program.

7.3 Wallet and Payouts

Rewards are held in the Security Researcher's Platform Wallet pending KYC verification and payout processing. Payouts are processed through the Platform's authorized PSP (Razorpay for Indian transactions; Stripe Connect / Payoneer for international). Currency conversion charges, where applicable, are borne by the Security Researcher. The Company shall provide Security Researchers with an annual transaction summary for tax reporting purposes.

7.4 Indian Tax Compliance

Security Researchers who are Indian residents are solely responsible for compliance with applicable Indian tax laws. The Company may deduct Tax at Source (TDS) as required under the Income Tax Act, 1961:

Bug Bounty Rewards are treated as professional/contractual services income and withheld under applicable provisions such as Section 194C or Section 194J, as determined by prevailing law and transaction facts.
The Company will issue Form 16A / TDS certificates as required by law.

The Company has obtained professional tax advice on classification and may update implementation as required by law. Security Researchers should obtain independent tax advice regarding their individual obligations (including GST where applicable).

7.5 Invoicing Mandate

By accepting these GCU, Security Researchers expressly authorize the Company to generate and issue invoices on their behalf for Rewards earned through Bug Bounty Programs. Security Researchers certify that they are aware of and will comply with all applicable social, tax, and accounting obligations. The Company's liability is strictly limited to providing transaction documentation.

8. CONFIDENTIALITY

All Users agree to maintain strict confidentiality of all information accessed through or in connection with the Platform, including Vulnerability Reports, Program details, Customer technical information, and any data encountered during testing. Confidentiality obligations survive termination of these GCU for a period of five (5) years.

Upon closure of a Program or termination of participation, Security Researchers must immediately delete all Customer data and information from their systems and, upon request, provide written confirmation of such deletion.

9. PERSONAL DATA AND PRIVACY

9.1 Data Controller

The Company processes personal data of Users as a data controller under India's Digital Personal Data Protection Act (DPDP), 2023. Details of data processing activities are available in the Platform's Privacy Policy at https://xc0mrade.com/privacy.

9.2 Security Researcher Data

Personal data collected from Security Researchers (including KYC documents, PAN details, transaction records) is processed strictly for the purposes of: (i) Platform operation and identity verification; (ii) Reward disbursement; (iii) legal compliance; and (iv) Sketch Score calculation. Data is not shared with third parties except as required by law or for payment processing.

9.3 Data During Testing

Security Researchers may encounter personal data belonging to Customer users during testing. Security Researchers must not access, copy, modify, or retain such data beyond what is strictly necessary to demonstrate the Vulnerability. All personal data encountered must be immediately reported to the Customer and treated as strictly confidential. Non-compliance constitutes a serious breach of these GCU and may trigger obligations under the DPDP Act 2023 and the IT Act 2000.

9.4 Data Subject Rights

Users may exercise their rights under the DPDP Act 2023 (including the right to access, correct, and erase personal data) by writing to: privacy@xc0mrade.com. The Company will respond within the timeframes mandated by applicable law.

10. LIABILITY

10.1 Company Liability

To the maximum extent permitted by applicable Indian law, the Company shall not be liable for:

Any damage caused by unauthorized activity conducted by Security Researchers outside the defined Program scope.
Non-payment or disputes regarding Rewards between Customers and Security Researchers.
Technical inaccuracies, errors, or omissions in Vulnerability Reports.
Loss of data, business interruption, or consequential damages arising from Platform use.
Platform unavailability due to maintenance, force majeure, or third-party infrastructure failures.
Actions or omissions of Customer Users in managing their Programs.

10.2 Security Researcher Liability

Security Researchers are fully liable for all damage caused to the Company, Customers, or third parties resulting from: (i) testing conducted outside Program scope; (ii) unauthorized data access or exfiltration; (iii) breach of confidentiality; (iv) submission of false or malicious reports; or (v) any violation of applicable Indian or international law. Security Researchers agree to indemnify and hold harmless the Company and Customers from all claims, damages, costs, and expenses arising from such breaches.

10.3 Customer Liability

Customers are solely responsible for the accuracy and completeness of their Program scope definitions, the security of their own Systems, and ensuring that Security Researchers have lawful authorization to test designated assets. The Company shall not be liable for any damage arising from inadequately defined Program scopes.

11. SAFE HARBOR AND LEGAL PROTECTION

The Platform's Safe Harbor provisions are the critical legal instrument enabling authorized security research in India. Authorization matters because Section 43 of the Information Technology Act, 2000 distinguishes unauthorized access from authorized access, and Section 66 addresses criminal consequences for dishonest/fraudulent unauthorized acts.

By publishing a Program on the Platform, a Customer expressly grants Security Researchers authorization to conduct Tests within the defined scope. This authorization transforms the activity from potentially unlawful unauthorized access under Section 43/66 of the IT Act, 2000 into authorized, consented security research. It also supports responsible disclosure and compliance under applicable cybersecurity and privacy frameworks including the DPDP Act 2023.

Safe Harbor protection is strictly conditional on compliance with Program rules and these GCU. Testing outside scope voids all protections immediately.

12. INTERMEDIARY STATUS AND COMPLIANCE

The Company operates as an "Intermediary" under Section 2(w) of the Information Technology Act, 2000 and is subject to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 as amended. In this capacity, the Company:

Appoints a Grievance Officer accessible at grievance@xc0mrade.com for User complaints and data privacy concerns.
Maintains a notice-and-takedown mechanism for unlawful content — content deemed unlawful (including exploit code targeting critical infrastructure) will be removed within 72 hours of notification.
Conducts reasonable due diligence on Users but does not take editorial control over third party content (Vulnerability Reports).

Failure to maintain Intermediary compliance obligations, including the 72-hour takedown requirement for notified unlawful content, results in loss of safe harbor immunity under the IT Act. All Users must cooperate with the Company's compliance obligations.

13. P-TIER REPUTATION SYSTEM

The Platform operates a three-tier reputation system based on Sketch Score (SS):

P3 — Contributor (0 to 500 SS): Access to public programs, standard submission quota, basic Platform features.
P2 — Verified Analyst (501 to 1500 SS): Private program eligibility, mentorship access, increased submission quota, ECS screening eligibility.
P1 — Elite Partner (1501+ SS): Recruitment pathway access, Platform governance participation, apex decay rules apply.

Sketch Score points are awarded and deducted automatically based on report outcomes as detailed in Schedule A. The Company reserves the right to modify the P-Tier thresholds, point values, and tier privileges with 30 days' notice to affected Users. All high-stakes P-Tier decisions (P1 promotions and demotions) are subject to mandatory human review.

P-Tier status constitutes a professional endorsement and is linked to recruitment pathways. Manipulation of the Sketch Score system through fraudulent submissions is a serious violation resulting in permanent account termination.

13B. PERSONAL DATA BREACH NOTIFICATION

In the event of a personal data breach affecting your data, Xc0mrade will notify affected Data Principals and the Data Protection Board of India within 72 hours of becoming aware of the breach, in accordance with applicable DPDP Rules.

Such notice will include, to the extent reasonably available at the time: (i) nature of the breach; (ii) likely consequences; and (iii) mitigation/remedial measures taken or proposed.

14. GOVERNING LAW AND DISPUTE RESOLUTION

These GCU are governed exclusively by the laws of India. Any dispute, controversy, or claim arising out of or relating to these GCU, or its breach, termination, or validity, shall be subject to the following resolution process:

Step 1 — Informal Resolution: The parties will attempt to resolve the dispute amicably within 30 days of written notice.
Step 2 — Mediation: If informal resolution fails, the parties agree to mediation under the Mediation Act, 2023 before an agreed mediator.
Step 3 — Arbitration: Unresolved disputes shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996, with a sole arbitrator appointed by mutual agreement, seated in Patna, Bihar.
Step 4 — Courts: If arbitration is inapplicable, the parties submit to the exclusive jurisdiction of the competent courts of Patna, Bihar.

15. GENERAL PROVISIONS

15.1 Amendments

The Company reserves the right to modify these GCU at any time. Users will be notified of material changes upon next login and required to re-accept. Continued use of the Platform after the effective date of changes constitutes acceptance. If you do not agree, you must immediately cease using the Platform and deactivate your account.

15.2 Force Majeure

Neither party shall be liable for delays or failures in performance resulting from causes beyond its reasonable control, including acts of God, natural disasters, pandemic, war, cyberattacks on infrastructure, or government actions.

15.3 Severability

If any provision of these GCU is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Entire Agreement

These GCU, together with the Privacy Policy and any Program-specific rules, constitute the entire agreement between the parties regarding Platform use and supersede all prior agreements on the same subject matter.

15.5 Contact

For all queries, notices, and complaints: legal@xc0mrade.com | grievance@xc0mrade.com
Xc0mrade Technologies Private Limited | CIN: U62099BR2025PTC079540 | Bihar, India

SCHEDULE A — SKETCH SCORE POINTS TABLE

The following points are automatically applied to a Security Researcher's Sketch Score upon report status change:

Report Outcome	Sketch Score Change
Resolved — Critical severity	+50 SS
Resolved — High severity	+30 SS
Resolved — Medium severity	+15 SS
Resolved — Low severity	+7 SS
Resolved — Informational	+3 SS
Accepted / Triaged	+7 SS
Marked as Duplicate	-5 SS
Rejected / Informational	-10 SS
Confirmed Spam / Malicious	Score zeroed to 0
Ethics training completed	+5 SS
Mentor session completed	+3 SS
CTF challenge completed (zerod)	+2 to +10 SS

Sketch Score cannot fall below 0. Score zeroing applies only on confirmed spam or malicious activity as determined by the Trust & Safety team.

SCHEDULE B — MANDATORY ETHICS AND DISCLOSURE CERTIFICATION

Before accessing P2 and P1 programs and before receiving any Reward payment, Security Researchers must complete and certify the following:

I, the undersigned Security Researcher, certify that:

I have read, understood, and agree to abide by the Xc0mrade General Conditions of Use Version 1.0.
I will conduct all Tests strictly within the scope defined by the Customer's Program and will not access, modify, or retain data beyond what is necessary to demonstrate a Vulnerability.
I understand that unauthorized access to computer systems is a criminal offence under Section 66 of the IT Act, 2000 in India and that the Safe Harbor protection is conditional on strict scope compliance.
I will not disclose any Vulnerability, Vulnerability Report, or Customer information to any third party without prior written authorization.
I am solely responsible for my tax, social security, and professional compliance obligations.
I have not and will not engage in any conflict of interest with respect to Programs I participate in.
I understand that breach of these obligations may result in permanent account termination, forfeiture of pending Rewards, and civil or criminal liability.

This certification is electronically accepted upon Platform registration and renewed annually or upon material GCU amendments.

— End of Document —

Xc0mrade Technologies Private Limited

CIN: U62099BR2025PTC079540|Bihar, India|

legal@xc0mrade.com

0MRADE

xc0mrade@root

Loading0%

Legal Framework

GENERAL CONDITIONS OF USE

Xc0mrade Technologies Private Limited — Version 1.0

Effective Date: April 3, 2026|CIN: U62099BR2025PTC079540

By registering on or using the Platform, you unconditionally accept these GCU. If you do not agree, do not use the Platform.

1. DEFINITIONS

Capitalized terms used herein shall have the meanings assigned below:

"Bug Bounty Program" means a program created by a Customer to invite Security Researchers to test its Systems in exchange for monetary Rewards upon submission of valid Vulnerability Reports.
"Customer" means any company, organization, startup, or government entity subscribing to the Platform's Services.
"Customer User" means any individual authorized by a Customer to manage its Programs, triage reports, and approve payouts on the Platform.
"zerod" means the Platform's integrated community learning module offering CTF challenges, training content, certification pathways, and skill development resources.
"KYC" means Know Your Customer verification as required under applicable Indian financial regulations including PMLA 2002 and RBI guidelines.
"Platform" means the Xc0mrade web application, APIs, mobile applications, and all related digital infrastructure accessible at xc0mrade.com.
"Program" means a Bug Bounty Program, VDP, Featured VDP, PTM engagement, or ASM subscription created and managed by a Customer on the Platform.
"Reward" means the financial payment issued by a Customer to a Security Researcher for a valid, accepted Vulnerability Report submitted under a Bug Bounty Program.
"Safe Harbor" means the express written authorization granted by a Customer through their Program scope, confirming that Security Researchers operating within defined boundaries are authorized to conduct security testing and shall not face legal action.
"Security Researcher" means any independent individual or entity registered on the Platform who discovers and reports Vulnerabilities, whether or not in exchange for a Reward.
"Sketch" means the structured JSON and PNG-format visual representation of a vulnerability exploit chain created using the Platform's integrated Sketcher tool.
"Sketch Score (SS)" means the composite reputation metric assigned to each Security Researcher based on report quality, severity, reproducibility, and community contributions.
"Sketcher" means the Platform's proprietary attack chain visualization tool enabling Security Researchers to document exploit flows as structured, machine-readable data.
"System" means any IT infrastructure, web application, API, mobile application, cloud service, or connected device designated by a Customer as in-scope for testing.
"User" means any individual or entity with a registered account on the Platform, including Customer Users and Security Researchers.
"VDP" means a Vulnerability Disclosure Program, a structured channel enabling Security Researchers to report Vulnerabilities without monetary compensation.
"Vulnerability" means any security flaw, bug, misconfiguration, or weakness in a Customer's System that individually or cumulatively impacts its security or functionality.
"Vulnerability Report" means a structured document submitted by a Security Researcher on the Platform describing a discovered Vulnerability, including technical details, impact assessment, reproduction steps, and where applicable, a Sketch.
"Wallet" means the virtual payment account maintained on the Platform for the deposit, storage, and disbursement of Rewards to Security Researchers, managed through the Platform's authorized Payment Service Provider (PSP).

2. ELIGIBILITY AND USER STATUS

2.1 Age and Legal Capacity

2.2 Independence of Security Researchers

2.3 Authority of Customer Users

2.4 Conflict of Interest

3. REGISTRATION AND ACCOUNT MANAGEMENT

3.1 Account Creation

3.2 Account Security

3.3 KYC Verification

3.4 Account Suspension and Termination

4. SERVICES

4.1 Bug Bounty Programs

Testing must be strictly limited to in-scope assets defined in the Program.
Rewards are determined solely by the Customer based on severity and validity of the Vulnerability Report.
The Platform's P-Tier system (P3, P2, P1) governs access to private and high-value programs based on Sketch Score.
The Sketch Score is updated automatically based on report outcomes as defined in Schedule A.

4.2 Vulnerability Disclosure Programs (VDP)

4.3 Penetration Test Management (PTM)

4.4 Attack Surface Management (ASM)

4.5 zerod — Community Learning Platform

4.6 Sketcher Tool

Grants the Customer a non-exclusive, perpetual license to use the Sketch for internal security remediation purposes.
Acknowledges that the JSON payload and PNG export generated by the Sketcher become part of the Vulnerability Report and are subject to the IP assignment provisions in Section 6.
Represents that the Sketch accurately depicts the documented vulnerability and does not contain fabricated or misleading information.

5. SECURITY RESEARCHER OBLIGATIONS

5.1 Authorized Testing

5.2 Prohibited Conduct

Security Researchers must not, under any circumstances:

Conduct or attempt Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks against any System.
Access, exfiltrate, modify, or destroy data beyond what is strictly necessary to demonstrate the existence of a Vulnerability.
Engage in social engineering, phishing, or physical attacks against Customer employees, contractors, or third parties.
Access systems, accounts, or data belonging to any individual or entity other than test accounts expressly provided by the Customer.
Demand payment or threaten public disclosure as a condition for providing Vulnerability information (extortion).
Disclose any Vulnerability or Vulnerability Report to any third party, media outlet, or on social media without prior written approval from the Customer and the Company.
Use discovered Vulnerabilities for personal gain beyond the Program's Reward structure.
Submit knowingly false, fabricated, or duplicate reports.
Violate any applicable Indian or international law in connection with security testing.

5.3 Responsible Disclosure

5.4 Evidence and Report Quality

6. INTELLECTUAL PROPERTY

6.1 Platform IP

6.2 Vulnerability Report IP Assignment

6.3 Platform Data

7. FINANCIAL CONDITIONS

7.1 Rewards

7.2 Platform Commission

7.3 Wallet and Payouts

7.4 Indian Tax Compliance

Bug Bounty Rewards are treated as professional/contractual services income and withheld under applicable provisions such as Section 194C or Section 194J, as determined by prevailing law and transaction facts.
The Company will issue Form 16A / TDS certificates as required by law.

7.5 Invoicing Mandate

8. CONFIDENTIALITY

9. PERSONAL DATA AND PRIVACY

9.1 Data Controller

9.2 Security Researcher Data

9.3 Data During Testing

9.4 Data Subject Rights

10. LIABILITY

10.1 Company Liability

To the maximum extent permitted by applicable Indian law, the Company shall not be liable for:

Any damage caused by unauthorized activity conducted by Security Researchers outside the defined Program scope.
Non-payment or disputes regarding Rewards between Customers and Security Researchers.
Technical inaccuracies, errors, or omissions in Vulnerability Reports.
Loss of data, business interruption, or consequential damages arising from Platform use.
Platform unavailability due to maintenance, force majeure, or third-party infrastructure failures.
Actions or omissions of Customer Users in managing their Programs.

10.2 Security Researcher Liability

10.3 Customer Liability

11. SAFE HARBOR AND LEGAL PROTECTION

Safe Harbor protection is strictly conditional on compliance with Program rules and these GCU. Testing outside scope voids all protections immediately.

12. INTERMEDIARY STATUS AND COMPLIANCE

Appoints a Grievance Officer accessible at grievance@xc0mrade.com for User complaints and data privacy concerns.
Maintains a notice-and-takedown mechanism for unlawful content — content deemed unlawful (including exploit code targeting critical infrastructure) will be removed within 72 hours of notification.
Conducts reasonable due diligence on Users but does not take editorial control over third party content (Vulnerability Reports).

13. P-TIER REPUTATION SYSTEM

The Platform operates a three-tier reputation system based on Sketch Score (SS):

P3 — Contributor (0 to 500 SS): Access to public programs, standard submission quota, basic Platform features.
P2 — Verified Analyst (501 to 1500 SS): Private program eligibility, mentorship access, increased submission quota, ECS screening eligibility.
P1 — Elite Partner (1501+ SS): Recruitment pathway access, Platform governance participation, apex decay rules apply.

13B. PERSONAL DATA BREACH NOTIFICATION

Such notice will include, to the extent reasonably available at the time: (i) nature of the breach; (ii) likely consequences; and (iii) mitigation/remedial measures taken or proposed.

14. GOVERNING LAW AND DISPUTE RESOLUTION

Step 1 — Informal Resolution: The parties will attempt to resolve the dispute amicably within 30 days of written notice.
Step 2 — Mediation: If informal resolution fails, the parties agree to mediation under the Mediation Act, 2023 before an agreed mediator.
Step 3 — Arbitration: Unresolved disputes shall be referred to binding arbitration under the Arbitration and Conciliation Act, 1996, with a sole arbitrator appointed by mutual agreement, seated in Patna, Bihar.
Step 4 — Courts: If arbitration is inapplicable, the parties submit to the exclusive jurisdiction of the competent courts of Patna, Bihar.

15. GENERAL PROVISIONS

15.1 Amendments

15.2 Force Majeure

15.3 Severability

If any provision of these GCU is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.

15.4 Entire Agreement

15.5 Contact

For all queries, notices, and complaints: legal@xc0mrade.com | grievance@xc0mrade.com
Xc0mrade Technologies Private Limited | CIN: U62099BR2025PTC079540 | Bihar, India

SCHEDULE A — SKETCH SCORE POINTS TABLE

The following points are automatically applied to a Security Researcher's Sketch Score upon report status change:

Report Outcome	Sketch Score Change
Resolved — Critical severity	+50 SS
Resolved — High severity	+30 SS
Resolved — Medium severity	+15 SS
Resolved — Low severity	+7 SS
Resolved — Informational	+3 SS
Accepted / Triaged	+7 SS
Marked as Duplicate	-5 SS
Rejected / Informational	-10 SS
Confirmed Spam / Malicious	Score zeroed to 0
Ethics training completed	+5 SS
Mentor session completed	+3 SS
CTF challenge completed (zerod)	+2 to +10 SS

Sketch Score cannot fall below 0. Score zeroing applies only on confirmed spam or malicious activity as determined by the Trust & Safety team.

SCHEDULE B — MANDATORY ETHICS AND DISCLOSURE CERTIFICATION

Before accessing P2 and P1 programs and before receiving any Reward payment, Security Researchers must complete and certify the following:

I, the undersigned Security Researcher, certify that:

I have read, understood, and agree to abide by the Xc0mrade General Conditions of Use Version 1.0.
I will conduct all Tests strictly within the scope defined by the Customer's Program and will not access, modify, or retain data beyond what is necessary to demonstrate a Vulnerability.
I understand that unauthorized access to computer systems is a criminal offence under Section 66 of the IT Act, 2000 in India and that the Safe Harbor protection is conditional on strict scope compliance.
I will not disclose any Vulnerability, Vulnerability Report, or Customer information to any third party without prior written authorization.
I am solely responsible for my tax, social security, and professional compliance obligations.
I have not and will not engage in any conflict of interest with respect to Programs I participate in.
I understand that breach of these obligations may result in permanent account termination, forfeiture of pending Rewards, and civil or criminal liability.

This certification is electronically accepted upon Platform registration and renewed annually or upon material GCU amendments.

— End of Document —

Xc0mrade Technologies Private Limited

CIN: U62099BR2025PTC079540|Bihar, India|

legal@xc0mrade.com