EN

United States (EN)

Australia (EN)

Canada (EN)

Canada (FR)

France (FR)

Ireland (EN)

United Kingdom (EN)

Rippling Vulnerability Reporting Terms and Conditions

Last Updated: August 21, 2024

The Rippling Vulnerability Reporting Program Terms and Conditions (these "Terms") govern your participation in the Rippling Vulnerability Reporting Program (the "Program"). These Terms are between the natural person and/or the entity the natural person represents ("you" or "your") and People Center, Inc. dba Rippling and our affiliates ("Rippling," "us", or "we"). By submitting any vulnerabilities to Rippling or otherwise participating in the Program in any manner, you accept these Terms and any terms that are supplied by Rippling's vendors or service providers facilitating operation of the Program which are by this reference incorporated herein and made a part hereof; provided that in the event of any conflict or inconsistency among these Terms and any such third-party terms, these Terms shall govern and control to the extent of such conflict and/or inconsistency.

PROGRAM OVERVIEW

The Program enables users to submit (each, a "Submission") vulnerabilities and exploitation techniques ("Vulnerabilities") to Rippling about Rippling products and services ("Products") for a chance to earn rewards of a type and in an amount determined by Rippling from time-to-time in its sole discretion ("Bounty"). The decisions made by Rippling regarding Bounties are final and binding. Bounties not accepted within one year, or waived, are ineligible for issuance and may be subject to reuse by the Program, donation in accordance with our charitable giving policies, escheat, or general corporate purposes, all within Rippling’s sole discretion. Rippling may change or cancel this Program at any time, for any reason, and may use service providers or subcontractors to administer the Program, including review of Submission and processing and payment of any Bounty

CHANGES TO THESE TERMS

We may change these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you don't agree to the new Terms, you must not participate in the Program.

If you wish to opt-out of the Program and not be considered for Bounties, contact us at bounty@rippling.com. Opting out will not affect any licenses granted to Rippling in any Submissions provided by you.

PROGRAM ELIGIBILITY

Rippling reserves the right to immediately remove you from the Program if you violate any provision of these Terms, as determined by Rippling in its sole discretion, which determination is final. To participate in the Program, you must:

  • comply with all applicable laws, including those of the country or region in which you reside or in which you make a Submission or receive a Bounty;
  • comply with any policies that your employer may have that would affect your eligibility to participate in the Program;
  • comply with each provision contained in these Terms and any instructions or directions provided by Rippling in connection with the Program;
  • not be in any U.S. embargoed countries or on the U.S. Treasury Department’s list of Specially Designated Nationals, the U.S. Department of Commerce Denied Person’s List or Entity List, or any other restricted party lists;
  • not disrupt, compromise, inappropriately access, store, or damage the Rippling Products, Rippling data, Rippling property (including any devices) or that of Rippling's customers or service providers unless Rippling or the applicable property owner has given you express, advance written consent to disrupt, compromise, or damage the data or property;
  • have attained the age of majority (i.e., be at least 18 years of age);
  • complete all paperwork necessary for your receipt of any Bounty; and
  • pay all applicable taxes, duties and other governmental fees and charges in connection with your receipt of a Bounty or participation in the Program.

SUBMISSION PROCESS

If you believe you have identified a Vulnerability, you may submit it to Rippling through the process described at https://www.rippling.com/vulnerability-reporting

Depending on the detail of your Submission, Rippling may award a Bounty of varying scale. Well-written reports and functional exploits are more likely to result in a Bounty. Submissions that do not meet the minimum requirements above are considered incomplete and not eligible for Bounties. Rippling retains sole discretion in determining which Submissions are qualified. If we receive multiple Submissions from independent parties that identify the same Vulnerability, any Bounty will be granted to the first eligible Submission, but may grant multiple bounties in our sole discretion if a duplicate Submission provides information that was previously unknown to Rippling with respect to a Vulnerability.

Rippling is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Rippling at security@rippling.com to ensure your Submission was received.

There are no restrictions on the number of qualified Submissions you can provide and potentially be paid a Bounty for.

Submissions of a Vulnerability for a Product not covered by the Program at the time of your Submission are not eligible to receive a Bounty, including if such Product is later added to the Program.

CONFIDENTIALITY Protecting customers is Rippling's highest priority. We endeavor to address each Submission in a timely manner. While we are evaluating a Submission and the Vulnerabilities therein, we require that all details in the Submission remain confidential. You agree that you shall not disclose the details of any Vulnerabilities or any Submission to any third parties, in any form, including as part of paper reviews or conference submissions. You can make available high-level descriptions of your research and non-reversible demonstrations after any discovered or identified Vulnerability is corrected. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Rippling will endeavor to notify you when the Vulnerability in your Submission is fixed. You may receive a Bounty pursuant to the Program prior to the fix being released and payment should not be taken as notification of fix completion. YOU AGREE THAT A VIOLATION OF THIS SECTION REQUIRES YOU TO RETURN ANY BOUNTY RECEIVED WITH RESPECT TO THE VULNERABILITY DISCLOSED AND WILL PERMANENTLY DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM.

SAFE HARBOR

While participating in the Program, you will not be deemed to be in breach of any applicable Rippling use restrictions contained in any terms, including license provisions, applicable to the Products for which you are researching Vulnerabilities (i.e., restrictions on users to not copy, decompile, reverse engineer, disassemble, attempt to derive the source code of, decrypt, modify, or create derivative works of such Products); provided in all cases, your actions were performed strictly during participation in the Program, strictly in compliance with these Terms, and otherwise in connection with good-faith security research that is intended to be be reported to Rippling as part of a Submission.

If legal action is initiated by a third party against you and you have complied with these Terms in all respects, we will take commercially reasonable steps to make it known that your actions were conducted in accordance with this Program. If at any time you have concerns or are uncertain whether your security research is consistent with these Terms, please submit a report to security@rippling.com before going any further.

NO WARRANTIES

RIPPLING, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.

LIMITATION OF LIABILITY & BINDING ARBITRATION

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from Rippling or any affiliates, resellers, distributors, third-party providers, and vendors, direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.

BINDING ARBITRATION AND CLASS ACTION WAIVER

We hope we never have a dispute, but if we do, you and we agree to try for 60 days to resolve it informally. If we can't, you and we agree to pursue the dispute resolution procedures detailed below.

Agreement to Arbitrate. ANY DISPUTE OR CLAIM RELATING IN ANY WAY TO THE PROGRAM OR THESE TERMS SHALL BE RESOLVED BY BINDING, INDIVIDUAL ARBITRATION, RATHER THAN IN COURT. THE TERMS IN THIS SECTION ARE REFERRED TO AS THE "ARBITRATION AGREEMENT." THIS ARBITRATION AGREEMENT APPLIES TO ALL SUCH CLAIMS, BROUGHT UNDER ANY LEGAL THEORY, UNLESS THE CLAIM FITS IN ONE OF THE EXCEPTIONS IDENTIFIED IN THE "EXCEPTIONS TO AGREEMENT TO ARBITRATE" SECTION BELOW.

This arbitration agreement is governed by the Federal Arbitration Act (FAA), including its procedural provisions, in respects. This means that the FAA governs, among other things, the interpretation and enforcement of this arbitration agreement and all of its provisions, including, without limitation, the class action waiver discussed below. State arbitration laws do not govern in any respect.

This arbitration agreement is intended to be broadly interpreted and will survive termination of this Agreement. The arbitrator, and not any federal, state or local court or agency, shall have exclusive authority to the extent permitted by law to resolve all disputes arising out of or relating to the interpretation, applicability, enforceability, or formation of this Agreement, including, but not limited to, any claim that all or any part of this agreement is void or voidable. If the parties have a dispute about whether this arbitration agreement can be enforced, whether this arbitration agreement applies to a dispute, or any other dispute about the meaning or scope of this arbitration agreement, the parties agree that the arbitrator shall have exclusive authority to resolve the dispute.

There is no judge or jury in arbitration, and court review of an arbitration award is limited. However, an arbitrator can award on an individual basis the same damages and relief as a court (including injunctive and declaratory relief or statutory damages) and must follow this Agreement as a court would. For the avoidance of doubt, the arbitrator can award public injunctive relief.

In the event this arbitration agreement is for any reason held to be unenforceable or inapplicable to a claim, any litigation against Rippling (except for the intellectual property and small claims actions described in "Exceptions to Agreement to Arbitrate" below) may be commenced only in a federal or state court located within San Francisco County, California, and both parties consent to the jurisdiction of those courts for such purposes.

Exceptions to Agreement to Arbitrate. You and Rippling agree that the agreement to arbitrate will not apply to any disputes relating to your or Rippling’s intellectual property (e.g., trademarks, trade dress, domain names, trade secrets, copyrights or patents) and that such disputes may be brought in any court that has jurisdiction over such claims. Also, either party can bring a claim in small claims court in San Francisco, California (or small claims court in another place if both parties agree in writing), if it qualifies to be brought in that court.

Details of Arbitration Procedure.

(a) Informal Resolution. You and Rippling agree that good-faith informal efforts to resolve disputes often can result in a prompt, low-cost and mutually beneficial outcome. Prior to demanding or filing any arbitration, you and Rippling agree to personally meet and confer, in person or by video conference, in a good-faith effort to resolve informally any claim covered by this arbitration agreement. If you are represented by counsel, your counsel may participate in the conference, but you shall also fully participate in the conference. The party initiating the claim must give notice to the other party in writing of its, his, or her intent to initiate an informal dispute resolution conference, which shall occur within 60 days after the other party receives such notice, unless an extension is mutually agreed upon by the parties. To notify Rippling that you intend to initiate an informal dispute resolution conference, email notices@rippling.com with the subject "INFORMAL DISPUTE RESOLUTION REQUEST" and provide your name, the telephone number associated with your Rippling account, the email address associated with your email account, and a description of your claim. In the interval between the party receiving such a notice and the informal dispute resolution conference, the parties shall be free to attempt to resolve the initiating party's claims. Engaging in an informal dispute resolution conference is a requirement that must be fulfilled before commencing arbitration. The statute of limitations and any filing fee deadlines shall be tolled while the parties engage in the informal dispute resolution process described in this paragraph.

(b) If the informal dispute resolution process does not result in a resolution of the dispute within 60 days after the conference is held, either party may initiate an arbitration proceeding under the rules of the AAA. AAA's rules and procedures are available on their website at https://www.adr.org or Customer can call them at 1-800-778-7879. The arbitration will be governed by the then-current version of AAA's Commercial Arbitration Rules (the "AAA Rules") and will be held before a single arbitrator appointed in accordance with the AAA Rules. To the extent anything described in this agreement to arbitrate conflicts with the AAA Rules, the language of this agreement to arbitrate applies. Any arbitration will be conducted in San Francisco, California, or in another location that both parties agree to in writing.

(c) Discovery. Each party will be entitled to get a copy of non-privileged relevant documents in the possession or control of the other party and each party may take one (1) deposition. All such discovery will be in accordance with procedures approved by the arbitrator. This agreement to arbitrate does not alter in any way the statute of limitations that would apply to any claims or counterclaims asserted by either party.

(d) Arbitration Award. The arbitrator's award will be based on the evidence admitted and the substantive law of the State of California and the United States, as applicable, and will contain an award for each issue and counterclaim. The award will provide in writing the factual findings and legal reasoning for such award. The arbitrator will not be entitled to modify this Agreement, and may not award any relief that is inconsistent with this Agreement.

(e) Final and Binding. Except as provided in the Federal Arbitration Act, the arbitration award will be final and binding on the parties. Judgment may be entered in any court of competent jurisdiction.

Class Action Waiver. You and Rippling agree that any claims or controversies between the parties must be brought against each other on an individual basis only, and not in a class, consolidated, or representative action. That means neither you nor Rippling can bring such a claim as a plaintiff or class member in a class action, consolidated action, or representative action. The arbitrator cannot combine or consolidate more than one person’s or one entity's claims into a single case, and cannot preside over any consolidated, class or representative proceeding (unless all parties agree otherwise in writing). Further, the arbitrator's decision or award in one person's or entity's case can only impact the person or entity that brought the claim, not other entities or Rippling customers, and cannot be used to decide other disputes with other customers. YOU AGREE TO WAIVE ANY RIGHT TO A JURY TRIAL, YOU AGREE TO WAIVE ANY RIGHT TO PARTICIPATE IN A CLASS-WIDE OR REPRESENTATIVE ARBITRATION, AND YOU AGREE TO WAIVE ANY RIGHT TO PARTICIPATE IN ANY CLASS ACTION LAWSUIT (INCLUDING FOR ANY CLAIM THAT IS DETERMINED NOT TO BE SUBJECT TO ARBITRATION UNDER THESE TERMS). If a court decides that this class action waiver is not enforceable or valid, then the entire agreement to arbitrate will be null and void, but the rest of this Agreement will still apply.

CHOICE OF LAW AND PLACE TO RESOLVE DISPUTES

If you live in (or, if a business, your principal place of business is in) the United States, the laws of the state where you live govern all claims, regardless of conflict of laws principles, except that the Federal Arbitration Act governs all provisions relating to arbitration. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in San Francisco County, California, for all disputes arising out of or relating to these Terms or the Program that are heard in court (excluding arbitration and small claims court).

MISCELLANEOUS

These Terms constitute the entire agreement between you and Rippling for your Participation in the Program. It supersedes any prior agreements between you and Rippling regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court or arbitrator holds that we can't enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won't change.

UNSOLICITED IDEAS

Other than your Submission, Rippling does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Rippling through the Program or otherwise, Rippling makes no assurances that your ideas will be treated as confidential or proprietary and Rippling may use and commercially exploit such Unsolicited Feedback for any and all purposes in perpetuity throughout the world without attribution, compensation, or limitation

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.