Terms menu

Vulnerable Things - Industry Member Terms and Conditions

Version 1.0, Effective from 22 June 2020. (View previous versions).

Please note: These terms apply to Industry Members only. If you are registering to use the Vulnerable Things platform as a reporter (Reporter) of any weakness of software, hardware, or online service that can be exploited (Vulnerability) in relation to Internet-connected consumer products (Things), please see our Reporter Terms & Conditions instead.

1. About us: Techworkshub Ltd (t/a IoT Security Foundation) (company number SC170059) (we/us/our) is a company registered in Scotland and our registered office is at 1 George Square, Glasgow, Scotland, G2 1AL.

2. Our contract with you: These terms apply to Industry Members (you/your) that have registered to access and use the Vulnerable Things vulnerability disclosure platform (Platform). They apply to the exclusion of any other terms and conditions which are implied by law. These terms represent the entire agreement between you and us in relation to the Platform and you acknowledge that you have not relied on any statement or promise that is not set out in these terms. The agreement between us as set out in these terms will be referred to as this agreement.

3. Vulnerability disclosure policy: In addition to these terms, you agree to comply with our Vulnerability Disclosure Policy, available at /terms/policies/vulnerability-disclosure-policy/.

4. Eligibility to use the Platform: To register to use the Platform, you should be a manufacturer, service provider, application developer or retailer of Things and associated services for such Things which includes, but which is not limited to:

  • Connected children’s toys and baby monitors;
  • Connected safety-relevant products such as smoke detectors and door locks;
  • Smart cameras, TVs and speakers;
  • Wearable health trackers;
  • Connected home automation and alarm systems;
  • Connected appliances (e.g. washing machines, fridges);
  • Smart home assistants.

We reserve the right to cancel your registration if you do not meet the above criteria, in which case we will provide a pro-rata refund of your registration fee (for the unexpired portion of the relevant subscription period) within 14 days of such cancellation.

5. Our obligations: We agree that we will: (a) use our reasonable endeavours to make the Platform available 24 hours a day, seven days a week (but we do not guarantee that your use of the Platform will be uninterrupted or error-free); and (b) provide basic technical support in respect of your use of the Platform (but not provide any advice in relation to the disclosure or resolution of any Vulnerability).

6. Your obligations: You agree that you will: (a) acknowledge and respond to all reports submitted through the Platform within the timescales set out in the Platform; (b) communicate with Reporters in a polite and courteous manner; and (c) not ask Reporters to provide you with any contact details or communicate with them outside of the Platform.

7. Your account: If you choose, or are provided with, a username, password, or any other piece of information as part of our security procedures, you must treat such information as confidential. We have the right to disable access to any account if we reasonably believe that you have shared your details with anyone else or that your account has been compromised. If you know or suspect that anyone other than you knows your details, you must promptly notify us at [email protected].

8. Subscription fee: To register as an Industry Member, you must pay the subscription fee stated on our Platform (Fee) annually in advance. Unless you notify us not less than 30 days prior to the expiry of each 12-month period from the date you first registered for an account, your membership will automatically be renewed for successive periods of 12 months each and we will deduct the Fee using the account details provided to us at the time of registration. You will receive advance notice of renewal in writing. If your account details have changed, you must notify us by email to [email protected]. If we attempt to take payment and it is rejected, we may suspend or terminate access to your account on giving you 10 days’ notice by email.

9. Intellectual property rights: All intellectual property rights in and to the Platform are owned by us or our licensors. Except as set out in these terms, we do not grant you any right in or to any intellectual property rights (including but not limited to copyright, database right, patents or trade mark, in each case whether registered or unregistered) or any other rights or licences in respect of the Platform. You agree to grant us a fully paid-up, non-exclusive, royalty-free, non-transferable licence to copy and modify any materials provided by you to us for the purpose of providing the Platform to you.

10. Use of Vulnerable Things logo: As long as you are a registered Industry Member, we grant you a non-exclusive non-transferable worldwide licence to use our logo on the relevant page of your website that relates to vulnerability disclosure for the sole purpose of signifying your use of the Platform to accept Vulnerability disclosures. You agree to comply with any logo usage guidelines provided by us at any time when replicating it.

10.1 Confidentiality of Vulnerability disclosures: We will not disclose the details of any Vulnerability reported through the Platform before you have had the opportunity to respond in accordance with the timescales notified to you through the Platform.

  1. Data protection:

11.1 In this clause, the terms controller, processor, personal data, data subject, process (or any similar term) and personal data breach have the meanings set out in Regulation (EU) 2016/679 (the GDPR), the UK Data Protection Act 2018 or any applicable data protection law in the United Kingdom or European Economic Area (the Data Protection Laws).

11.2 To the extent that we process any personal data on your behalf in the course of providing the Platform, you acknowledge that you will be the controller and we will be the processor in relation to such processing.

11.3 We agree that we will:

(a) only process personal data in line with this agreement and your documented instructions (which may be given by you through your use of the Platform);

(b) promptly notify you if we are required by any applicable law to process personal data otherwise than in line with your instructions (unless applicable law prohibits us from doing so);

(c) immediately notify you if, in our opinion, any instruction given by you infringes the Data Protection Laws;

(d) ensure that anyone with access to personal data is subject to binding confidentiality obligations;

(e) considering the factors set out in the Data Protection Laws, implement appropriate technical and organisational measures to ensure an appropriate level of security when processing personal data;

(f) considering the nature of the processing, assist you by appropriate technical and organisational measures, as far as possible, for the fulfilment of your obligation to respond to requests by data subjects to exercise their rights under the Data Protection Laws;

(g) considering the nature of the processing and information available to us, assist you in ensuring compliance with your obligations under the Data Protection Laws in relation to security of processing, communication of personal data breaches to any supervisory authority or data subjects, data protection impact assessments and prior consultation (in each case as defined in the Data Protection Laws);

(h) at your choice, delete or return all personal data to you after you have ceased to be a member, and delete any existing copies (unless applicable law prohibits us from doing so);

(i) make available to you all information necessary to demonstrate compliance with our obligations as a processor and, subject to agreement on scope and timing, allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you; and

(j) notify you without undue delay if we become aware of a personal data breach.

11.4 You authorise us to appoint any third-party processors of personal data as we consider necessary to enable us to provide the Platform (sub-processors). If we wish to appoint any additional or replacement sub-processors, we will give you reasonable prior notice to give you the opportunity to object. If you do not raise any objection before the expiry of such period, we will assume you do not object. If any objection is raised, we will use our reasonable endeavours to resolve your objection, however if we are unable to do so to your reasonable satisfaction, either of us may terminate this agreement immediately or after such period of notice as agreed between us. We have or will enter written agreements with sub-processor incorporating terms which are substantially similar to those set out in this clause 11 and, as between you and us, we will remain fully liable for all acts or omissions of our sub-processors.

12. Reports submitted through the platform:

12.1 The Platform exists to provide a safe and easy way for Reporters to notify Industry Subscribers of Vulnerabilities that they have identified and to facilitate communication between them. You acknowledge that we do not review, nor do we endorse or guarantee the contents or quality of, any reports submitted through the Platform. Any use of or reliance upon any reports submitted through the Platform will be at your sole risk and we do not accept any liability for any damages, liabilities or losses of any nature incurred by you as a result of any such use or reliance. You are advised to run virus and malware scanning software on any files made available to you through the Platform before they are opened or executed.

12.2 We do not endorse any individual Reporter named in any reports or elsewhere on our Platform.

12.3 Any claim or dispute relating to a report submitted through the Platform will be between you and the relevant Reporter and not us. You may not bring any action, claim or proceedings against us arising out of or in connection with any report submitted through the Platform, except where the same relates to our negligence.

  1. Our liability to you:

13.1 Nothing in this agreement excludes or limits any liability which cannot legally be excluded or limited by us.

13.2 Subject to clause 13.1, we will not be liable to you, whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this agreement for: (a) loss of profits; (b) loss of sales or business; (c) loss of agreements or contracts; (d) loss of anticipated savings; (e) loss of use or corruption of software, data or information; (f) loss of or damage to goodwill or reputation; or (g) any indirect or consequential loss.

13.3 Subject to clauses 13.1 and 13.2, our total liability to you arising under or in connection with this agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will be limited to the amount of the subscription fee paid by use to access and use the Platform in the previous 12 months.

13.4 This clause 13 will survive termination of this agreement.

14. Suspension and termination: Without limiting our other rights or remedies, we may suspend or terminate your access to the Platform or this agreement with immediate effect by giving written notice to you if: (a) you materially breach any of these terms and, if such breach can be remedied, you have failed to do so within seven days of us giving you written notice of such breach; (b) you fail to renew your subscription and have not done so 30 days after the due date for payment; or (c) we give notice to you that we are ceasing to operate the Platform for any reason (in which case we will provide a pro rata refund of your subscription fee for the unexpired portion of the relevant subscription period). Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination will remain in full force and effect.

15. Communications between us: When we refer to written or in writing in this agreement, this includes email. Any notice required to be given under or in connection with our agreement must be made by email and such emails will be deemed received at 9am the next working day after transmission. You may send emails to us at [email protected]. We may send emails to you using the email address associated with your account and if this changes, you must promptly notify us. The provisions of this clause will not apply to the service of any proceedings or other documents in any legal action.

16. Assignment and transfer: We may assign or transfer any of our rights and obligations under these terms and will give you written notice if this occurs. You may not assign or transfer your rights and obligations under these terms to any other person or entity without our prior written consent (such consent not to be unreasonably withheld or delayed).

17. Variation: We may need to make changes to these terms occasionally, to reflect any changes to our Platform or legal requirements. We’ll notify you of any important changes on our Platform or by email before they take effect.

18. Waiver: If we do not insist that you perform any of your obligations under this agreement, or if we do not enforce our rights against you, or if we delay in doing so, that will not mean that we have waived our rights against you or that you do not have to comply with those obligations. If we do waive any rights, we will only do so in writing, and that will not mean that we will automatically waive any right related to any later default by you.

19. Severance: Each paragraph of this agreement operates separately. If any court or relevant authority decides that any of them is unlawful or unenforceable, the remaining paragraphs will remain in full force and effect.

20. Third party rights: This agreement is between you and us. No other person has any rights to enforce any of its terms.

21. Governing law and jurisdiction: The agreement as set out in these Terms is governed by England and Wales law and we each irrevocably agree to submit all disputes arising out of or in connection with this agreement to the exclusive jurisdiction of the [English/Scottish] courts (except that we may recover any amounts owed to us through the courts of any relevant jurisdiction).

Top