GoDaddy - COORDINATED VULNERABILITY DISCLOSURE POLICY
Last Revised: 3/12/2021

GoDaddy’s Coordinated Vulnerability Disclosure Program Terms and Conditions ("Terms") cover your participation in the Coordinated Vulnerability Disclosure Program (the "Program"). These Terms are between you and ("GoDaddy ," "us" or "we"). By submitting any vulnerabilities to GoDaddy or otherwise participating in the Program in any manner, you agree and accept these Terms.

1. PROGRAM OVERVIEW

The Program enables users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to GoDaddy for a chance to earn rewards in an amount determined by GoDaddy in its sole discretion ("Bounty"). Each Service for which Bounties are available has a separate set of terms applicable to that Service (the "Service Agreements"), to include GoDaddy ’s Universal Terms of Service, all of which are incorporated by reference into these Terms. In the event of a conflict between these Terms and the Service Agreements for a particular Service, the Service Agreement control for that particular Service only. The decisions made by GoDaddy regarding Bounties are final and binding. GoDaddy may change or cancel this Program at any time, for any reason without notice.

2. CHANGES TO THESE TERMS

We may change these Terms at any time without notice. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.

If you wish to opt-out of the Program and not be considered for Bounties, contact us at security@godaddy.com. Opting out will not affect any licenses granted to GoDaddy in any Submissions provided by you.

3. PROGRAM ELIGIBILITY

You ARE eligible to participate in the Program if you meet all of the following criteria:

  • You are 18 years of age or older.
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.
ATTENTION PUBLIC SECTOR EMPLOYEES: If you are a public sector employee (government and education), all Bounties must be awarded directly to your public sector organization and subject to receipt of a gift letter signed by your organization's ethics officer, attorney, or designated executive/officer responsible for your organization's gifts/ethics policy. GoDaddy seeks to ensure that by offering Bounties under this Program, it does not create any violation of the letter or spirit of a participant's applicable gifts and ethics rules.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions or any other country that does not allow participation in this type of program;
  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
  • You are currently an employee of GoDaddy or a GoDaddy affiliated company, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to providing us your Submission you were an employee of GoDaddy or a GoDaddy affiliated company;
  • You currently (or within six months prior providing to us your Submission) perform services for GoDaddy or a GoDaddy affiliated company in an external staff capacity that requires access to the GoDaddy Network, such as agency temporary worker, vendor employee, business guest, or contractor; or
  • You are or were involved in any part of the development, administration, and/or execution of this Program.
  • It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All payments will be made in compliance with local laws, regulations, and ethics rules. GoDaddy disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.
There may be additional restrictions on your ability to enter depending upon your local law.

4. SUBMISSION LICENSE

GoDaddy is not claiming any ownership rights to your Submission. However, by providing any Submission to GoDaddy , you:

  • grant GoDaddy the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
  • understand and acknowledge that GoDaddy may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
  • understand that you are not guaranteed any compensation or credit for use of your Submission; and
  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to GoDaddy .

5. CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE

Protecting customers is GoDaddy’s priority. We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 60 days after the Vulnerability is fixed. GoDaddy will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION COULD REQUIRE YOU TO RETURN ANY BOUNTIES PAID FOR THAT VULNERABILITY AND DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.

6. BOUNTY PAYMENTS

The decisions made by GoDaddy regarding Bounties are final and binding.

If we have determined that your Submission is eligible for a Bounty, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment. You may waive the payment if you do not wish to receive a Bounty.

If there is a dispute as to who the qualified submitter is, we will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.

Before receiving a Bounty, you are required to complete and submit an Internal Revenue Service tax form (e.g., Form W-9, W-8BEN, 8233) within 30 calendar days of notification of validation. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation.

If your Submission qualifies for a Bounty, please note:

  • if you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and
  • if you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

7. Limited Waiver of Other Site Terms & Policies

To the extent your security research activities are inconsistent with certain restrictions in our relevant site terms and polices but are consistent with the terms of this Program, we waive those restrictions for the sole and limited purpose of permitting your security research under this Program. If your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), there is a possibility that they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities as such testing is beyond the scope of our Program, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions. Please contact us at security@godaddy.com before engaging in conduct that may be inconsistent with or unaddressed by this Program. If in doubt, ask us first.

8. UNSOLICITED IDEAS

Other than your Submission, GoDaddy does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to GoDaddy through the Program or otherwise, GoDaddy makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.