Additional Terms and Conditions for WhiteHat Sentinel Elite Edition

Subject to the terms and conditions described below and the service agreement by and between WhiteHat and Customer (“Service Agreement”), in the event WhiteHat fails to report to Customer a Covered Vulnerability (as defined below) and such vulnerability is exploited by a third-party to cause a Material Harm (as defined below), Customer will be eligible for (i) a refund of the remaining, unused portion of the fees paid to WhiteHat that correspond to a Customer Web Application covered by a Sentinel Elite subscription as specifically identified in an applicable Service Order (“Elite Application”) and (ii) reimbursement of actual expenses that directly result from such Material Harm up to a maximum amount not to exceed five hundred thousand dollars ($500,000) for each Elite Application. Such refund and reimbursement shall be referred to collectively herein as the “Payments”.

 

Sentinel Elite Coverage / Customer Responsibilities

The following terms and conditions (“Elite Terms”) apply to Sentinel Elite:

  • For each Sentinel Elite subscription purchased, subject to the terms and conditions described below, Customer shall be eligible for the Payments and, during the term of such subscription, shall receive the following for each Elite Application:
    1. A WhiteHat subject matter expert (“SME”) will be assigned to Customer to act as a liaison with Customer internal resources for the first ninety (90) days of the Sentinel Elite subscription.
    2. A prioritization report created by the assigned SME that includes the vulnerabilities identified by WhiteHat for the Elite Application. WhiteHat will provide such report within thirty (30) days after the initial Sentinel Elite scan and business logic assessment for the Elite Application have been completed.
    3. WhiteHat Limited Platinum Support (described on Exhibit A hereto) for the first sixty (60) days of the Sentinel Elite subscription.
    4. Twenty percent (20%) discounts on the purchase of WhiteHat training sessions.
  • To qualify for the Payments, an Elite Application must be covered by a Sentinel Elite subscription at the time its security is compromised (as described below), and such compromise must (i) be the direct result of a Covered Vulnerability that WhiteHat failed to report to Customer through Customer’s WhiteHat Sentinel web portal (“Sentinel Portal”) prior to the applicable Incident and (ii) not be the result of an Excluded Vulnerability (as defined below) (an “Incident”).
  • The alleged compromise must have resulted in Material Harm to the Customer. “Material Harm” must include at least one of the following: (i) breach of a security system as defined under Delaware Code tit. 6 Sect. 12B-101 et seq, (ii) public disclosure of confidential business information or (iii) end-user account take over.
  • To apply for a claim, a written confidential Incident report (the “Incident Report”) must be submitted to WhiteHat customer support (i) within thirty (30) days after the date the Customer discovers the Incident and (ii) not later than forty-five (45) days after the date of expiration or termination of the Sentinel Elite subscription. A separate Incident Report must be submitted for each Incident.
  • The Incident Report must be in compliance with the forensics framework described in the National Institute of Standards and Technology’s “Computer Security Incident Handling Guide (NIST 800-61 rev2) found here: http://dx.doi.org/10.6028/NIST.SP.800-61r2, or a comparable control in an industry accepted framework such as (i) PCI 12.10, (ii) ISO IEC 27002:2013  – Chapter 16 or (iii) COBIT PO9.
  • Prior to payment of any claims, at its own expense, WhiteHat reserves the right to (i) have an Incident response investigation performed by an independent third-party firm or (ii) conduct its own such investigation. Customer agrees to provide reasonable assistance to WhiteHat or its designated agent during such investigation.
  • Customer agrees to use reasonable commercial efforts to notify WhiteHat within forty-eight (48) hours after Customer becomes aware of a Covered Vulnerability in an Elite Application that has not been reported to Customer through Customer’s Sentinel Portal.
  • In the event of an Incident, in order to be eligible for the Payments:
  • Customer must be in compliance with the terms and conditions of the Service Agreement applicable to the Sentinel Elite subscription for the compromised Elite Application.
  • If access to an Elite Application requires credential(s) (usernames or passwords), Customer must have provided to WhiteHat valid and working credentials for the compromised Elite Application, at least thirty (30) days prior to the date of the Incident and such credentials must have remained valid during such thirty (30) day period.
  • Customer must have provided the primary hostname, primary IP address and all associated hostnames and subdomains (and their applicable ports and protocols) for each Elite Application on the applicable Service Order.
  • If an Incident results from a Covered Vulnerability located on a hostname or subdomain, associated with an Elite Application, but not specifically provided to WhiteHat on the applicable Service Order (each an “Associated Domain”), Customer must have provided separate written authorization to WhiteHat (email is acceptable) to scan such Associated Domain (and its applicable ports and protocols), and a complete Sentinel Elite scan must have been completed on any such Associated Domain prior to the date an Incident occurs (as identified in the WhiteHat Sentinel scanning logs).
  • The Incident (i) must be the result of a Covered Vulnerability that WhiteHat is able to access with commercially reasonable effort using the hostnames and Associated Domain names provided by Customer prior to the date of such Incident and (ii) must not be the result of (y) a Covered Vulnerability that has been intentionally concealed within an Elite Application by Customer personnel or (z) the gross negligence or willful misconduct of Customer personnel.
  • If Customer modifies an Elite Application during the term of the Sentinel Elite subscription, a complete Sentinel Elite scan must have been completed on such modified Elite Application prior to the date an Incident occurs (as identified in the WhiteHat Sentinel scanning logs).
  • Customer must have set a scan schedule for the Elite Application that allowed WhiteHat no less than forty-eight (48) scanning hours in the seven (7) days prior to the date of the Incident.
  • If an Incident is the result of the exploit of a Zero-Day Threat, such Incident must have occurred at least seventy-two (72) hours after a Common Weakness Enumeration ID (CWE – http://cwe.mitre.org/) or Common Vulnerabilities and Exposures ID (CVE – http://cve.mitre.org/) has been published for such Zero-Day Threat. For the purposes of these Sentinel Elite terms and conditions, a “Zero-Day Threat” is an attack that exploits a previously unknown vulnerability for which developers have not yet created a patch. Prior to the end of such seventy-two (72) hour period, WhiteHat may, in its sole discretion, determine that a Zero-Day Threat shall be considered an Excluded Vulnerability upon written notice to Customer, which would render any Incident resulting from such Zero-Day Threat ineligible for the Payments. Customer acknowledges and agrees that WhiteHat may modify these Elite Terms to add such Zero-Day Threat to the Excluded Vulnerabilities table below, and Customer shall be subject to such modified Elite Terms upon written notice via email or via Customer’s Sentinel portal (notwithstanding any notification requirements to the contrary included in the Service Agreement).

 

Payments

If the alleged Incident is confirmed by WhiteHat or its appointed, independent third-party firm, or WhiteHat decides (in its sole discretion) not to perform an Incident response investigation (“Confirmed Incident”), then for each Sentinel Elite subscription that involves a Confirmed Incident, Customer shall be eligible for the Payments as follows:

  • Subscription Fee Refund: A refund of the remaining, unused portion (as of the date of a Confirmed Incident) of the Sentinel Elite subscription fee paid by Customer for the compromised Elite Application. Such refund may be redeemed as a refund of such fees, or a credit applied toward a future WhiteHat subscription. Fee refunds will be processed within thirty (30) days after the date a Confirmed Incident has been validated by WhiteHat and credits will be applied to the next invoice for WhiteHat services.
  • Expense Reimbursement: Reimbursement of expenses incurred as a direct result of a Material Harm following a Confirmed Incident, up to a maximum amount not to exceed five hundred thousand dollars ($500,000) for each Elite Application, may be requested by Customer following a Confirmed Incident (“Expense Reimbursement Request”). Any such reimbursement will require Customer to provide WhiteHat with copies of applicable proof of payment (e.g. canceled checks or receipts) for the Expense Reimbursement Request, and WhiteHat has the right to contact the recipient of such payments and perform (at its own expense) an audit of Customer’s records related to any Expense Reimbursement Request. Customer may submit no more than one Expense Reimbursement Request for each Elite Application during the term of a Sentinel Elite subscription covering such affected Elite Application.

Customer’s sole and exclusive remedy for any Incidents and Material Harm will be the Payments described herein. Payments made to Customer pursuant to these Sentinel Elite terms shall not be considered an admission of responsibility for an Incident or any further liability. Customer is responsible for complying with all laws and regulations applicable to an Incident and WhiteHat will not be responsible for any liability or expense related to such laws and regulations. A claim submitted by Customer will have no impact on the Service Agreement. Customer acknowledges and agrees that each Sentinel Elite subscription will terminate at the end of the subscription period referenced on the applicable Service Order and will not be subject to any auto renewal provision contained in the Service Agreement or any Service Order under such Service Agreement.

Vulnerabilities

For the purposes of the Sentinel Elite service described herein, with the exception of a vulnerability listed in the Excluded Vulnerabilities table below, a vulnerability included in one of the following Covered Vulnerability Classes shall be considered a “Covered Vulnerability” and shall be eligible for the Payments.

 

Covered Vulnerability Classes

Abuse of Functionality

Insufficient Process Validation

Brute Force

Insufficient Session Expiration

Buffer Overflow

Insufficient Transport Layer Protection

Content Spoofing

Null Byte Injection

Credential/Session Prediction

OS Commanding

Cross-site Request Forgery

Path Traversal

Cross-site Scripting

Predictable Resource Location

Directory Indexing

Remote File Inclusion

HTTP Response Splitting

Server Misconfiguration

Improper File-system permissions

Session Fixation

Improper Output Handling

SQL Injection

Information Leakage

SSI Injection

Insecure Indexing

URL Redirector Abuse

Insufficient Anti-Automation

XML External Entities

Insufficient Authentication

XPath Injection

Insufficient Authorization

XQuery Injection

Insufficient Password Recovery

 

 

Due to the complexities of the inner workings of software and configuration interactions, WhiteHat is not able to determine with absolute certainty whether certain vulnerabilities are present in an Elite Application. Therefore, for the purposes of the Sentinel Elite service described herein, a vulnerability listed in the Excluded Vulnerabilities table below shall be considered an “Excluded Vulnerability” and shall not be eligible for the Payments.

Excluded Vulnerabilities

CVE-2014-0160

CVE-2014-6271


Exhibit A

DESCRIPTION OF WHITEHAT PLATINUM SUPPORT

Service Request Response Times: WhiteHat customer support will respond to service requests as follows:

Severity Level

Response
Requirements

Description

1 – Critical

Within 1 hour, 24×7, from the time the case was logged.

Sentinel Services Down – Any problem with Services within WhiteHat’s control that completely bars Customer from accessing Sentinel Services.

2 – Serious

Within 4 hours, during normal WhiteHat business hours, from the time the case was logged.

Sentinel Services Impaired – Any problem with Services within WhiteHat’s control that limits Customer’s ability to run an assessment, access major portions of the Sentinel interface, or retrieve results.

Reported Sentinel Bug Service Level Agreements (SLA): If Customer identifies a bug in the Sentinel Service that is confirmed by WhiteHat, customer support will respond as follows:

Severity
Level

Response
Requirements

Resolution
Target

1

Within 1 hour, 24×7, from the time the case was logged.

Within 8 hours, fix problem or provide workaround. Work to downgrade to Severity 2.

2

Within 4 hours, during normal WhiteHat business hours, from the time the case was logged.

Provide a workaround within 1 day and solution/fix within an average of 3 days or a statement regarding the disposition of the problem.

 

Custom Vulnerability Exploit and Remediation Review

WhiteHat will provide Customer with vulnerability reviews upon request. These reviews provide a custom vulnerability exploitation example (proof of concept – PoC). This review may take up to 1 business day per request to complete.

Monthly Service Status Reviews

The SME will schedule, manage, and execute monthly status calls with Customer’s team, as requested by Customer. This enables the SME to proactively manage Customer’s service requirements and help coordinate the review of open vulnerabilities or open cases.

Direct Access to Senior Security Engineers

Customer will have phone and email access to senior security engineers. WhiteHat will respond to Customer requests for assistance within two (2) business hours, Monday-Friday between 6 AM and 7 PM PT, excluding any U.S. federal holidays.