Subject to the terms and conditions described below and the service agreement by and between WhiteHat and Customer (“Service Agreement”), in the event WhiteHat fails to report to Customer a Covered Vulnerability (as defined below) and such vulnerability is exploited by a third-party to cause a Material Harm (as defined below), Customer will be eligible for (i) a refund of the remaining, unused portion of the fees paid to WhiteHat that correspond to a Customer Web Application covered by a Sentinel Elite subscription as specifically identified in an applicable Service Order (“Elite Application”) and (ii) reimbursement of actual expenses that directly result from such Material Harm up to a maximum amount not to exceed five hundred thousand dollars ($500,000) for each Elite Application. Such refund and reimbursement shall be referred to collectively herein as the “Payments”.
The following terms and conditions (“Elite Terms”) apply to Sentinel Elite:
If the alleged Incident i
s confirmed by WhiteHat or its appointed, independent third-party firm, or WhiteHat decides (in its sole discretion) not to perform an Incident response investigation (“Confirmed Incident”), then for each Sentinel Elite subscription that involves a Confirmed Incident, Customer shall be eligible for the Payments as follows:
Customer’s sole and exclusive remedy for any Incidents and Material Harm will be the Payments described herein. Payments made to Customer pursuant to these Sentinel Elite terms shall not be considered an admission of responsibility for an Incident or any further liability. Customer is responsible for complying with all laws and regulations applicable to an Incident and WhiteHat will not be responsible for any liability or expense related to such laws and regulations. A claim submitted by Customer will have no impact on the Service Agreement. Customer acknowledges and agrees that each Sentinel Elite subscription will terminate at the end of the subscription period referenced on the applicable Service Order and will not be subject to any auto renewal provision contained in the Service Agreement or any Service Order under such Service Agreement.
Vulnerabilities
For the purposes of the Sentinel Elite service described herein, with the exception of a vulnerability listed in the Excluded Vulnerabilities table below, a vulnerability included in one of the following Covered Vulnerability Classes shall be considered a “Covered Vulnerability” and shall be eligible for the Payments.
Abuse of Functionality | Insufficient Process Validation |
Brute Force | Insufficient Session Expiration |
Buffer Overflow | Insufficient Transport Layer Protection |
Content Spoofing | Null Byte Injection |
Credential/Session Prediction | OS Commanding |
Cross-site Request Forgery | Path Traversal |
Cross-site Scripting | Predictable Resource Location |
Directory Indexing | Remote File Inclusion |
HTTP Response Splitting | Server Misconfiguration |
Improper File-system permissions | Session Fixation |
Improper Output Handling | SQL Injection |
Information Leakage | SSI Injection |
Insecure Indexing | URL Redirector Abuse |
Insufficient Anti-Automation | XML External Entities |
Insufficient Authentication | XPath Injection |
Insufficient Authorization | XQuery Injection |
Insufficient Password Recovery |
Due to the complexities of the inner workings of software and configuration interactions, WhiteHat is not able to determine with absolute certainty whether certain vulnerabilities are present in an Elite Application. Therefore, for the purposes of the Sentinel Elite service described herein, a vulnerability listed in the Excluded Vulnerabilities table below shall be considered an “Excluded Vulnerability” and shall not be eligible for the Payments.
CVE-2014-0160 | CVE-2014-6271 |
Exhibit A
DESCRIPTION OF WHITEHAT PLATINUM SUPPORT
Service Request Response Times: WhiteHat customer support will respond to service requests as follows:
Severity Level |
Response |
Description |
1 – Critical | Within 1 hour, 24×7, from the time the case was logged. | Sentinel Services Down – Any problem with Services within WhiteHat’s control that completely bars Customer from accessing Sentinel Services. |
2 – Serious | Within 4 hours, during normal WhiteHat business hours, from the time the case was logged. | Sentinel Services Impaired – Any problem with Services within WhiteHat’s control that limits Customer’s ability to run an assessment, access major portions of the Sentinel interface, or retrieve results. |
Reported Sentinel Bug Service Level Agreements (SLA): If Customer identifies a bug in the Sentinel Service that is confirmed by WhiteHat, customer support will respond as follows:
Severity |
Response Requirements |
Resolution |
1 |
Within 1 hour, 24×7, from the time the case was logged. | Within 8 hours, fix problem or provide workaround. Work to downgrade to Severity 2. |
2 |
Within 4 hours, during normal WhiteHat business hours, from the time the case was logged. | Provide a workaround within 1 day and solution/fix within an average of 3 days or a statement regarding the disposition of the problem. |
WhiteHat will provide Customer with vulnerability reviews upon request. These reviews provide a custom vulnerability exploitation example (proof of concept – PoC). This review may take up to 1 business day per request to complete.
The SME will schedule, manage, and execute monthly status calls with Customer’s team, as requested by Customer. This enables the SME to proactively manage Customer’s service requirements and help coordinate the review of open vulnerabilities or open cases.
Customer will have phone and email access to senior security engineers. WhiteHat will respond to Customer requests for assistance within two (2) business hours, Monday-Friday between 6 AM and 7 PM PT, excluding any U.S. federal holidays.