IEI Security Bounty Program
Terms and Conditions

Revised on 2025.02.07

The IEI Security Bounty Program Terms and Conditions ("T&C") is between IEI Integration Corp. ("IEI," "we" or "us") and any individuals, entities or organizations who participate (“Participants,” “you” or “your”) in the IEI Security Bounty Program ("Program"). By submitting any vulnerabilities report to IEI or otherwise participating in the Program in any manner (“Submission”), you fully understand and accept this T&C.

IEI has an uncompromising commitment to information security and has partnered with the security research community to identify and fix vulnerabilities to keep our users, products, and the internet safer. To thank those contributing, IEI provides rewards through our security bounty program.

1. Program Scope
• 1.1 This Program only accepts security vulnerabilities of IEI System Software and Official Websites which have been officially released. You shall refer to our Program website for further details of Program Scope. Beta versions are not included in the Program.
• 1.2 Out-of-scope vulnerabilities will not be eligible for a reward, with exceptions made for critical vulnerabilities depending on the situation. 
• 1.3 Unsolicited proposals or ideas, including but not limited to reminders for present technologies, advice for cyber security strategy, and product feedback/improvements are not accepted under this program. 
• 1.4 IEI makes no assurances that your Submission with out-of-scope content mentioned above will be treated as confidential or proprietary. 

2. Program Restrictions
• 2.1 Actions that may potentially damage or detrimentally affect IEI servers or data are prohibited. 
• 2.2 Vulnerability reports are particularly not accepted if they describe or involve Restrictions of Program Scope stated on our Program website. 
• 2.3 By participating in this Program, the following actions are especially forbidden:
• 2.3.1 Violate or assist to violate any local or Taiwanese laws/regulations;
• 2.3.2 Engaging in activities which may be linked to exploitation, abuse, smuggling, or pornography of children;
• 2.3.3 Sharing inappropriate content or material, including but not limited to nudity, bestiality, pornography, or criminal activity;
• 2.3.4 Infringing the civil rights, intellectual property rights, or privacy of others.
• 2.4 By violating any terms of Section 2, you will be prohibited from participating in the Program in the future, and any Submissions you have provided will be deemed to be ineligible for Bounty payments.
• 2.5 IEI disclaims any liability or responsibility arising upon actions of Participants related to Section 2.2 & 2.3 Participants shall be fully responsible for such action.

3. Eligibilities
• 3.1 Anyone who is currently an employee or contractor of IEI or affiliate of IEI shall not be eligible to this Program.
• 3.2 If you are an employee of public sector (government or education), it is your sole responsibility to comply with any work/employee/service polices or gifts and ethics rules that may affect your eligibility to participate in the Program. If any of such policies are breached, your participation of this Program and eligibility of Bounty reward may be disqualified. All payments will be made in compliance with local laws, regulations, and ethics rules. IEI disclaims any liability or responsibility for disputes arising between an employee and their employer related to this issue.
• 3.3 There may be additional restrictions on your eligibility depending upon your local law.

4. Reward Qualifications
• 4.1 You are qualified for the reward if and only if:
• 4.1.1 you are the first researcher to report the vulnerabilities; and 
• 4.1.2 you do have Not publicly shared/uploaded any files and/or details related to the vulnerability to any publicly-accessible websites; and
• 4.1.3 the reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue by the IEI PSIRT team; and
• 4.1.4 you agree all the terms and conditions of the Program.
• 4.2 The reward may be increased based on:
• 4.2.1 Complexity of exploiting the vulnerability and the severity of the security vulnerability, including the percentage of affected users and systems;
• 4.2.2 Quality and format of the description: Higher rewards may be paid for clear, well-written bug bounty reports following IEI suggested format;
• 4.2.3 Quality of the proof of concept: Higher rewards may be paid if testing code, scripts, steps to reproduce and detailed instructions are included;
• 4.2.4 Quality of the fix: Higher rewards may be paid if suggestions on fixing the issue are provided;
• 4.2.5 Following other instructions shown on the Program website.
• 4.3 The determination of reward qualification and amount for all Submission is fully governed by IEI.

5. Submission Requirements
• 5.1 The following documents or contents are necessary for your submission/report:
• 5.1.1 product name, version, and build number where the vulnerability exists or URL location for cloud services;
• 5.1.2 summary of the potential threats posed by the vulnerability, along with clear and detailed replication steps.
• 5.2 You are required to comply with the confidentiality requirements and follow the guidelines and process about submission of vulnerability report stated on our Program website.

6. Reviewing Process
• The IEI PSIRT team may review your Submission based on the following procedure.
• 6.1 IEI PSIRT team will first verify the completeness of the Submission then send you a confirmation letter within one (1) week after such verification.
• 6.2 The award proposal will be sent to you via email within four (4) weeks after the date of the confirmation letter.
• 6.3 The aforementioned review procedure and timeline may vary according to the complexity of the Submission.

7. Submission License
• IEI does NOT claim any ownership or intellectual property rights toward your Submission. Nevertheless, by providing any Submission to IEI, no matter it is qualified for the reward or not, you:
• 7.1 grant to IEI a worldwide, free of charge, perpetual, non-exclusive, irrevocable, sub-licensable license under all intellectual property in your Submission:
• 7.1.1 to use, evaluate, review, examine, and otherwise analyze your Submission; and
• 7.1.2 to wholly or partly duplicate, modify, create derivative works and adaptations, distribute, publicly perform, and otherwise commercialize your Submission and all its content; and
• 7.1.3 to feature your Submission and all its content wholly or partly in accordance with the marketing, sale, or promotion of IEI in all sorts of media whether now known or later developed; and
• 7.2 agree to sign any documentation which may be required for us to confirm the license and rights you granted above; and
• 7.3 represent and warrant that your Submission is your own work, and you have the legal right to provide the Submission to IEI.

8. Bounty Payment
• 8.1 The Bounty reward will be transmitted within twelve (12) weeks after we confirm the qualification and severity level of your Submission.
• 8.2 All reward will be transmitted through PayPal in US Dollars only.
• 8.3 You are required to sign a consent letter provided by IEI for confirming the amount of reward and the acceptance of this T&C before the Bounty reward is transmitted.
• 8.4 Participants shall be solely accountable for all applicable taxes related to the Bounty reward.

9. Confidentiality
• 9.1 All the content of the Submission shall remain confidential before all the vulnerabilities, security risks, or possible damages referred in the Submission are detected and fixed by IEI. It is the Participants’ responsibility to NOT disclose or publish any contents of the Submission in public or toward any other parties, unless a notice of approval from IEI or a corresponding Security Advisory article is posted on our website.
• 9.2 The Bounty Payment shall not be regarded as the notice of approval mentioned in Section 9.1.
• 9.3 The Submission will be disqualified, and any received reward will be retrieved if the Participants violate any terms of Section 9.

10. Privacy
• 10.1 All the data and personal information contained in this Program will be governed under GDPR and IEI Privacy Policy.
• 10.2 IEI will not disclose or publish the names or any personal information regarding to the Program and Submission, unless a prior consent by the Participants.

11. Limitation Of Liability
• IN NO EVENT AND IN NO CIRCUMSTANCES SHALL IEI AND ITS AFFILITES BE LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES WHATSOEVER ARISING OUT OF OR IN ANY WAY RELATED TO THE PARTICIPATION OF THIS PROGRAM OR OTHERWISE UNDER OR IN CONNECTION WITH ANY PROVISION OF THIS T&C, EVEN IN THE EVENT OF THE FAULT, TORT (INCLUDING NEGLIGENCE), STRICT LIABILITY, BREACH OF T&C OR BREACH OF WARRANTY OF IEI, AND EVEN IF HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12. Resolve of Disputes
• Any litigation or disputes arising out of this Program/T&C shall be construed and controlled by the laws of Taiwan and shall be subject to the jurisdiction of the District Court of Taipei, Taiwan.

13. General Conditions
• 13.1 All process of the Program included but not limited to the decision of severity level, qualification of submission, reward amount, and all the other contents included in this T&C, will be entirely determined and governed by IEI.
• 13.2 The policy, guidelines, qualification requirements, eligibility requirements or T&C may change without advanced notice. We may also stop the Program at any time.
• 13.3 IEI does not guarantee any compensation or credit for use of your Submission.
• 13.4 Any breach of this T&C may be resulted in the ineligibility for your Submission, prohibition from this Program in the future, or violation of legal liabilities by IEI’s own discretion or under any applicable laws.
• 13.5 Individuals/organizations on or residents who are from the countries in the sanction list of the Taiwan government are not eligible to the reward. Notwithstanding the foregoing, the participation to this Program is still welcomed.
• 13.6 This T&C is executed in multi-languages. In case of any conflict or inconsistency, the English version shall always prevail.