Visit Dow.com Dow Corporate Locations
Legal Dow’s Vulnerability Disclosure Policy—Terms and Conditions

Dow’s Vulnerability Disclosure Policy—Terms and Conditions

The terms and conditions of this policy (the “Terms”) cover your participation in the Vulnerability Disclosure Program (the “Program”) of The Dow Chemical Company (“Dow”). The Terms incorporate by reference the terms and conditions contained in Dow’s Terms of Use and Privacy Statement. The Terms are between you and The Dow Chemical Company (“Dow,” “us” or “we”). By reporting any vulnerabilities to Dow or otherwise participating in the Program in any manner, you accept the Terms.
 

Program Overview

The Program allows users to submit security vulnerabilities and exploitation techniques (“Vulnerabilities") to Dow about eligible Dow systems and services for a chance to earn rewards and/or recognition in an amount/manner determined by Dow in its sole discretion (“Bounty”).

Dow may change or cancel the Program at any time, for any reason. Participating in the Program after the changes become effective means you agree to the new Terms. If you don’t agree to the new Terms, you must not participate in the Program. If you wish to opt-out of the Program and not be considered for Bounties, contact us at vulnerabilitydisclosure@dow.com. Opting out will not affect any licenses granted to Dow in any Submissions provided by you.
  

Scope of Targets

Only the following Dow systems and services (the “Targets”) are subject to the Terms and eligible for user research, testing, and Submissions:

  • *.dow.com
  • *.midlandresolution.com
  • *.rohmandhaas.com.tr
  • *.rohmhaaskimyasanayi.com.tr
  • *.triverconservation.com
  • *.univation.com
  • *.dorinco.com

All other systems and services of Dow and its affiliates are out of scope of the Terms.

If you aren’t sure whether a particular Dow system or service is a Target, contact us at vulnerabilitydisclosure@dow.com before starting your research and testing. If there is an out-of-scope Dow system or service that you think merits research and testing, contact us before starting your research and testing.
  

Safe Harbor

To encourage research and responsible disclosure of Vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of the Terms. We consider security research and Vulnerability disclosure activities conducted consistent with the Terms to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws. We waive any potential DMCA claim against you for circumventing the technological measures we have used to protect the Targets.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party which is not us (or our affiliates), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data beyond what the Program permits.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by the Terms. We reserve the sole right to make the determination of whether a violation of the Terms is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first.

To the extent your security research activities are inconsistent with certain restrictions in our relevant site polices (including Dow’s Terms of Use, which the Terms incorporate by reference) but are otherwise consistent with the Terms and the Program, we waive those restrictions for the sole and limited purpose of permitting your security research under the Program. Just like above, if in doubt, ask us first.
  

Third-Party Safe Harbor

If you make a Submission through this Program that affects a third-party service, we will limit what we share with any affected third party. We may share non-identifying content from your Submission with an affected third party, but only after notifying you that we intend to do so and getting the third party's written commitment that they will not pursue legal action against you or initiate contact with law enforcement based on your report. We will not share your identifying information with any affected third party without first getting your written permission to do so.

Please note that we cannot authorize out-of-scope testing in the name of third parties, and such testing is beyond the scope of the Terms and the Program. Refer to that third party's bug bounty policy, if they have one, or contact the third party either directly or through a legal representative before initiating any testing on that third party or their services. This is not, and should not be understood as, any agreement on our part to defend, indemnify, or otherwise protect you from any third-party action based on your actions.

That said, if legal action is initiated by a third party, including law enforcement, against you because of your participation in the Program, and you have sufficiently complied with the Terms (i.e., have not made intentional or bad faith violations), we will take steps to make it known that your actions were conducted in compliance with the Terms. While we consider Submissions both confidential and potentially privileged documents, and protected from compelled disclosure in most circumstances, please be aware that a court could, despite our objections, order us to share information with a third party.
  

Program Eligibility

You ARE eligible to participate in the Program if you meet all of the following criteria:

  • You are 18 years of age or older and have reached the age of majority in your jurisdiction of primary residence and citizenship; and
  • You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.

If you are a public sector employee (government and education), any Bounty payment must be awarded directly to your public sector organization and subject to receipt of a gift letter signed by your organization's ethics officer, attorney, or designated executive/officer responsible for your organization's gifts/ethics policy. Dow seeks to ensure that by offering Bounties under this Program, it does not create any violation of the letter or spirit of a participant's applicable gifts and ethics rules.

You ARE NOT eligible to participate in the Program if you meet any of the following criteria:

  • You are a resident of any countries under U.S. sanctions (click here to view sanctions programs and country information posted by the United States Treasury Department) or any other country that does not allow participation in this type of program;
  • You are an individual or an individual employed by or associated with an entity identified on the U.S. Department of Commerce’s Denied Persons or Entity List, the U.S. Department of Treasury’s Specially Designated Nationals and Blocked Persons List, or the Department of State’s Debarred Parties List.
  • You are under the age of 18;
  • Your organization does not allow you to participate in these types of programs;
  • You are a public sector employee (government and education) and have not obtained permission from your ethics compliance officer to participate in the Program;
  • You are currently an employee of Dow or a Dow affiliate, or an immediate family (parent, sibling, spouse, or child) or household member of such an employee;
  • Within the six months prior to providing us your Submission you were an employee of Dow or a Dow affiliate; or
  • You currently (or within six months prior to providing us your Submission) perform services for Dow or a Dow affiliate in an external staff capacity that requires access to the Dow Corporate Network, such as agency temporary worker, vendor employee, business guest, or contractor.

It is your responsibility to comply with any polices that your employer may have that would affect your eligibility to participate in the Program. If you are participating in violation of your employer’s policies, you may be disqualified from participating or receiving any Bounty. All Bounty payments will be made—if at all, in Dow’s sole discretion—in compliance with local laws, regulations, and ethics rules. Dow disclaims any and all liability or responsibility for disputes arising between an employee and their employer related to this matter.

There may be additional restrictions on your ability to enter depending upon your local law.
  

Submission Process and Coordinated Vulnerability Disclosure

If you believe you have identified a Vulnerability that meets the applicable requirements set forth in these Terms, you may submit it to Dow, in accordance with the following process:

Each Vulnerability submitted to Dow shall be a "Submission." Submissions must be sent to vulnerabilitydisclosure@dow.com. In the initial email, please include as much of the following information as possible (preferably in English, if possible):

  • Type of Vulnerability
  • Location/URL that contains the Vulnerability
  • Any special configuration required to reproduce the Vulnerability
  • Step-by-step instructions to reproduce the Vulnerability
  • Proof-of-concept scripts or screenshots
  • Potential impact of the Vulnerability, including how an attacker could exploit it

You must follow Coordinated Vulnerability Disclosure (“CVD”) when reporting a Vulnerability to Dow. Submissions that do not follow CVD may not be eligible for Bounties. Not following CVD could disqualify you from participating in the Program in the future.

Depending on the detail and significance of your Submission, Dow may choose—in Dow’s sole discretion—to award a Bounty. Well-written reports and functional exploits are more likely to result in Bounties. Submissions that do not meet the minimum bar described above are considered incomplete and not eligible for Bounties.

Dow is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Dow at vulnerabilitydisclosure@dow.com to ensure your Submission was received.

If you submit a Vulnerability for a Dow system or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive a Bounty if the system or service is later added to the Program.
  

Submission License

Dow is not claiming any ownership rights to your Submission. However, by providing any Submission to Dow, you:

  • grant Dow the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
  • agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
  • understand and acknowledge that Dow may have developed or commissioned materials similar or identical to your Submission, and you waive any claims you may have resulting from any similarities to your Submission;
  • understand that you are not guaranteed any compensation or credit for use of your Submission;
  • acknowledge that you have no expectation of payment and that you expressly waive any future pay claims against Dow related to your Submission;
  • represent and warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Dow.
      

Submission Review Process

After a Submission is sent to Dow, we will review the Submission and validate its eligibility. The review time will vary depending on the complexity and completeness of your Submission, as well as on the number of Submissions we receive. Dow retains sole discretion in determining which Submissions qualify for and merit a Bounty.
  

Bounty Rewards/Recognition

The decisions made by Dow regarding Bounties are final and binding. If we have determined—in our sole discretion—that your Submission is eligible for and merits a Bounty, we will notify you of the Bounty.

If the Bounty consists of (or includes) a payment, then we will provide you with the necessary paperwork to process your payment. Before receiving a payment, you are required to complete and submit an Internal Revenue Service tax form (e.g., Form W-9, W-8BEN, 8233). If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation. If you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

If the Bounty consists of (or includes) recognition, then Dow may publicly or internally recognize individuals who have been awarded a Bounty. Dow at its discretion may choose to recognize you on web properties or other printed materials unless you ask us not to include your name. 
  

Confidentiality Obligations

“Confidential Information” means any information that is marked or otherwise designated as confidential at the time of disclosure or that a reasonable person would consider confidential based on the circumstances and content of the disclosure, and includes, without limitation: customer information, personally identifiable information, financial information, pricing information, and business information. Confidential Information does not include information that: (i) is or becomes known to the receiving party from a source other than one having an obligation of confidentiality to the disclosing party; (ii) is or becomes publicly known or otherwise ceases to be confidential, except through a breach of this Agreement; or (iii) is independently developed by the receiving party.

You agree that you will (i) hold in confidence and not disclose to any third party any Dow Confidential Information, except as approved in writing by Dow; (ii) protect such Dow Confidential Information with at least the same degree of care that you use to protect your own Confidential Information, but in no case, less than reasonable care; (iii) use Dow Confidential Information for no purpose other than the use permitted by Dow; and (iv) immediately notify Dow upon discovery of any loss or unauthorized disclosure of Dow Confidential Information.

ALL SUBMISSIONS ARE DOW CONFIDENTIAL INFORMATION. This means no Submissions may be publicly disclosed at any time unless Dow has otherwise consented to disclosure. Violation of this section could require you to return any Bounties granted for that Submission and disqualify you from participating in the Program in the future. If you would like to publish or disclose to third parties information about a Vulnerability found through your participation in the Program (e.g., as part of paper reviews or conference submissions), please contact us first to request our consent to such disclosure. We support the open publication of security research; thus, we will endeavor to approve such requests and consent to such disclosure where appropriate, to the extent that the Vulnerability has been fixed and the risk to Dow has been abated.
  

Privacy

See the Dow Privacy Statement disclosures relating to the collection and use of your information in connection with the Program.
  

Excluded Submission Types (and Testing Methods)

Some Submission types are excluded, primarily because they are dangerous to assess or because they have low security impact to Dow. The following Submission types (and testing methods) are excluded from the scope of the Terms and the Program:

  • Findings from physical testing such as office access (e.g., open doors, tailgating).
  • Findings derived primarily from social engineering (e.g., phishing, vishing).
  • Findings derived primarily from any other non-technical vulnerability testing.
  • Findings from systems, services, websites, or applications not listed as Targets in the “Scope of Targets” section above.
  • Functional, UI and UX bugs and spelling mistakes.
  • Network level Denial of Service (DoS/DDoS) Vulnerabilities
  • Findings derived from tests that impair access to (or damage) a Target.
  • Findings derived by physically connecting to a network or device within a facility operated by Dow.
      

Code of Conduct

By participating in the Program, you will follow these rules:

  • Don’t do anything illegal.
  • Don’t compromise the integrity, availability, or confidentiality of non-public information in the possession of Dow.
  • Don’t use an exploit to compromise or exfiltrate data, establish persistent access, or use the exploit to pivot to other systems.
  • Don’t publicly disclose any (potential or confirmed) Vulnerability without the express written consent of Dow.
  • Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
  • Don't share inappropriate content or material (involving, for example, nudity, pornography, graphic violence, or criminal activity).
  • Don't engage in activity that is false or misleading.
  • Don't engage in activity that is harmful to you, the Program, or others (e.g., transmitting viruses, stalking, posting terrorist content, or advocating violence against others).
  • Don't infringe upon the rights of others (e.g., unauthorized sharing of copyrighted material) or engage in activity that violates the privacy of others.
  • Don't help others break these rules.
  • Don’t submit a high volume of low-quality Submissions.
  • Do notify us as soon as possible after you discover a (potential) Vulnerability.
  • Do make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Do use exploits only to the extent necessary to confirm a Vulnerability’s presence.

If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.
  

No Warranties

DOW, AND OUR AFFILIATES, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
  

Limitation of Liability

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover, from Dow or its affiliates, distributors, third-party providers, and vendors, direct damages up to $100.00. You can't recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. These limitations and exclusions apply even if this remedy doesn't fully compensate you for any losses or fails of its essential purpose or if we knew or should have known about the possibility of the damages. To the maximum extent permitted by law, these limitations and exclusions apply to anything or any claims related to these Terms and the Program.
  

Choice of Law and Place to Resolve Disputes

If you live in (or, if a business, your principal place of business is in) the United States, the laws of the state where you live govern all claims, regardless of conflict of laws principles. You and we irrevocably consent to the exclusive jurisdiction and venue of the state or federal courts in Midland County, Michigan, for all disputes arising out of or relating to these Terms or the Program.
  

Miscellaneous

These Terms (including Dow’s Terms of Use and Privacy Statement, which the Terms incorporate by reference), are the entire agreement between you and Dow for your participation in the Program. These Terms supersede any prior agreements between you and Dow regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court holds that we can't enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won't change.
  

Unsolicited Ideas

Other than your Submission, Dow does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements (“Unsolicited Feedback”). If you send any Unsolicited Feedback to Dow through the Program or otherwise, Dow makes no assurances that your ideas will be treated as confidential or proprietary.

IF YOU DO NOT AGREE TO THESE TERMS, PLEASE DO NOT SEND US ANY SUBMISSIONS OR OTHERWISE PARTICIPATE IN THIS PROGRAM.