Jiji Vulnerability Disclosure Policy This Jiji Vulnerability Disclosure Policy (“Policy”) governs the relationship between Jiji.NG Online Marketplace Nigeria Limited (“Company”, “we”, “us”) and you. Please review this Policy before submitting your report. By submitting your report you agree to be bound by this Policy and by the decisions of the Company that are final and binding. Introduction Security is core to our values, and we value the input of security researchers acting in good faith to help us maintain a high standard for the security and privacy of our users. We encourage you to submit vulnerabilities you find in our products and services as listed below for a chance to earn rewards. Expectations When working with us according to this Policy, you can expect us to: * Work with you to understand and validate your report, including a timely initial response to the submission; * Work to remediate discovered vulnerabilities in a timely manner; and * Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change. Eligible products and services (in scope) * Jiji.ng web site * Jiji Nigeria Android application: https://play.google.com/store/apps/details?hl=en&id=ng.jiji.app * Jiji Nigeria iOS application: https://apps.apple.com/ie/app/jiji-ng/id966165025 Submission process If you have found a vulnerability that corresponds to the requirements of the Policy, you may submit it to us. All such submissions (“Submission”) should be sent to security@jijiafrica.com. There is no limit on the number of Submissions one person may provide. We may give you a cash reward solely at our discretion. Coordinated vulnerability disclosure You must provide us a reasonable amount of time (at least 30 days from the date of Submission or other term requested by us) to resolve the issue raised in the Submission before you disclose it publicly. You must make the necessary amendment(s) to the disclosure of the Submission within 3 calendar days upon receipt of the respective request from the Company. Ground Rules To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you to: * Play by the rules. This includes following this policy any other relevant agreements; * Report any vulnerability you’ve discovered promptly; * Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience; * Use the prescribed submission process to discuss vulnerability information with us; * Handle the confidentiality of details of any discovered vulnerabilities according to our Disclosure Policy; * Perform testing only on in-scope systems, and respect systems and activities that are out-of-scope; * If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information; * You should only interact with test accounts you own or with explicit permission from the account holder; and * Do not engage in extortion. Intellectual Property Rights You grant the Company the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part. You represent and warrant that your Submission is your own work and that it does not violate any rights, as well as intellectual property rights of any third party. Safe Harbor When conducting vulnerability research according to this Policy, we consider this research conducted under this Policy to be: * Authorized in view of any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good faith violations of this Policy; * Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls; and * Lawful, helpful to the overall security of the Internet, and conducted in good faith. You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this Policy, we will take steps to make it known that your actions were conducted in compliance with this Policy. If at any time you have concerns or are uncertain whether your security research is consistent with this Policy, please submit a report as described above before going any further. Limitation of Liability In no event shall the Company be liable to you for any lost profit or any indirect, consequential, exemplary, incidental, special, or punitive damages arising from this Policy. Notwithstanding anything to the contrary contained herein, you agree that the aggregate liability of the Company to you for any and all claims arising from this Policy is limited to NGN10,000. Changes of Policy The Company may amend this Policy at any time with or without notice. Law and jurisdiction This Policy shall be governed by the laws of the Republic of Nigeria. Any dispute arising out of or in connection with this Policy, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by arbitration under the Arbitration and Conciliation Act (Cap. A18) of the Republic of Nigeria. The number of arbitrators shall be one. The seat of arbitration shall be Lagos, Nigeria. The language to be used in the arbitral proceedings shall be English. Last update: 28 September 2022