Fourthwall
Back to policy

Terms & Privacy

These terms govern your use of this vulnerability disclosure portal and explain how your personal data is handled when you submit a report.

Program Rules

By submitting a vulnerability report you agree to:

  • Research and report in good faith, without harming users, data, or service availability.
  • Stay within the published scope and follow the program's disclosure policy.
  • Access, modify, or save only the minimum data necessary to demonstrate the vulnerability, and never use it for any other purpose.
  • Not demand payment or other benefits in exchange for withholding a report or vulnerability details.
  • Keep vulnerability details confidential until the program authorizes public disclosure.

The full disclosure policy, including scope and safe harbor, is published on the program policy page.

Privacy Notice

Fourthwall (the organization operating this program) is the data controller for personal data submitted through this portal. Kit (startupkit.app) processes this data on its behalf as the portal provider.

Data we collect

  • Contact details you provide (email address, name, handle).
  • The contents of your reports, messages, and attachments.
  • Payout details you submit to receive bounties (such as a PayPal address or bank account details), stored encrypted.
  • Tax documents (such as W-9 / W-8BEN) where required for bounty payments.
  • IP address and browser user agent, recorded in a security event log when you sign in or act on a report.
  • Anti-abuse records (such as IP addresses of suspected spam submissions), stored encrypted.

Why we process it

  • Triaging your reports and communicating with you about them.
  • Paying bounties and meeting legal and tax obligations.
  • Securing the portal and preventing abuse.

Your data is retained for as long as needed for these purposes — typically for the life of the related report and program — and longer where law requires (for example payment and tax records).

You may request access to, correction of, or deletion of your personal data, subject to legal retention duties. Submit privacy requests and questions through this portal — for example in the message thread of one of your reports.

Changes

We may update these terms from time to time; the current version is always published on this page.