contest-terms.rst revision 4e180b6a0b4720a9b8e9e959a882386f690f08ff 
1.. _contest_terms:
2
3#####################################
4Security Contest Terms and Conditions
5#####################################
6
7.. contents::
8  :local:
9  :backlinks: none
10  :depth: 2
11
12.. include:: contest-warning.txt
13
14.. Note::
15   :class: warning
16
17   This has been reformatted from the original, and the enumeration
18   list numbering style differs from the original document.
19
20NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST
21IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA
22AND WORLDWIDE, EXCEPT FOR ITALY, BRAZIL, QUEBEC, CUBA, IRAN, SYRIA,
23NORTH KOREA, SUDAN AND MYANMAR.
24
25ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS AND
26CONDITIONS.
27
28I. Binding Agreement
29
30   In order to enter the Native Client Security Contest ("Contest"),
31   you must agree to these Terms and Conditions ("Terms"). Therefore,
32   please read these Terms prior to entry to ensure you understand and
33   agree. You agree that submission of an entry in the Contest
34   constitutes your agreement to these Terms. After reading the Terms
35   and in order to participate, each Participant (as defined below)
36   must complete the registration form, clicking the "I understand and
37   agree" box (or the equivalent), on the Contest entry webpage. Once
38   the Participant clicks the "I understand and agree" box (or the
39   equivalent), the Terms form a binding legal agreement between each
40   Participant and Google with respect to the Contest.
41
42   Participants may not submit an Exploit, Issue or Summary to the
43   Contest and are not eligible to receive the prizes described in
44   these Terms unless they agree to these Terms. If a Participant is
45   part of a team, each member of the team must read and agree to
46   these Terms and click on the "I understand and agree" box (or the
47   equivalent) described herein. Failure of any member of a team to
48   agree to these Terms and click on the "I understand and agree" box
49   (or the equivalent) described herein will disqualify the entire
50   team.
51
52   By entering, Participant warrants that Participant has not violated
53   any employment agreement or other restriction imposed by his or her
54   employer by participating in this Contest.
55
56#. Description
57
58   The Contest is organized by Google and is designed to motivate the
59   developer community to identify and report security Exploits (as
60   defined below) on Google’s Native Client software and reward those
61   developers who identify one or more security Exploits that are
62   evaluated as a winning exploit by the Judges.
63
64   Once a Participant has registered for the Contest, the Participant
65   will be asked to identify security Exploits in Google’s Native
66   Client Software and enter those Exploits on Google’s `Native Client
67   Issue Tracker <http://code.google.com/p/nativeclient/issues/list>`_
68   web site using the "Security Contest Template." At this point, the
69   Exploit will become an Issue and will no longer be able to be
70   identified by another Participant. Google will then verify that the
71   Issue is reproducible. If so, that Issue will become a Verified
72   Issue. Finally, the Participant will submit a Summary of up to his
73   or her top ten best Issues that were submitted on the `Native
74   Client Issue Tracker
75   <http://code.google.com/p/nativeclient/issues/list>`_. Since it is
76   possible that an Issue may not be verified until after the Contest
77   End Date, if a Participant includes such an Issue in their Summary
78   and such Issue is not ultimately verified, then that Issue will not
79   be considered to be part of the Summary.
80
81   Prizes will be awarded to those Participants who submit the best
82   Summaries as determined in the sole discretion of the Judges when
83   considering the Judging Criteria described herein.
84
85#. Sponsor
86
87   The Contest is sponsored by Google Inc. ("Google" or "Sponsor"), a
88   Delaware corporation with its principal place of business at 1600
89   Amphitheater Parkway, Mountain View, CA, 94043, USA.
90
91#. Term
92
93   The Contest begins at 9:00:00 A.M. Pacific Time (PT) Zone in the
94   United States on Februrary 25th, 2009 ("Contest Start Date") and
95   ends at 11:59:59 P.M. PT on May 5th, 2009 ("Contest End
96   Date"). Participants must register by May 5th, 2009 at 11:59:59
97   Pacific Time to be eligible to participate. ENTRANTS ARE
98   RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR
99   RESPECTIVE JURISDICTIONS.
100
101#. Definitions
102
103   Throughout these Terms, Google will use the following defined terms
104   and words. Please review them carefully to ensure you understand.
105
106   1. Covert Channel Attack: A "Covert Channel Attack" means an
107      attempt to manipulate certain properties of a communications
108      medium in an unexpected, unconventional, or unforeseen way in
109      order to transmit information through the medium without
110      detection by anyone other than the entities operating the covert
111      channel. Exploits that are Covert Channel Attacks are excluded
112      from the Contest.
113
114   #. Exploit: An "Exploit" means a sequence of steps that require and
115      use Native Client to produce or have the potential to produce
116      behavior prohibited by Native Client's security policies and
117      design which can be found at
118      http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html.
119      Google reserves the right to modify the security policies and
120      design at any time. An example of an Exploit would be producing
121      file system or network access outside of the scope of
122      permissible use via JavaScript in a browser. An Exploit that
123      defeats one but not all Native Client security measures is still
124      considered to produce behavior prohibited by Native Client's
125      security policies for the purposes of this Contest and would be
126      entitled to be identified as an Exploit in the Contest.
127
128   #. Inner Sandbox: The "Inner Sandbox" means the Native Client
129      security system that a) inspects executables before running them
130      to try to detect the potential for an executable to produce
131      prohibited behavior, and b) prevents from running any
132      executables that are detected to have the potential to produce
133      prohibited behavior.
134
135   #. Issue: An "Issue" means an entry of a single Exploit by a
136      Participant into the `Native Client Issue Tracker
137      <http://code.google.com/p/nativeclient/issues/list>`_ using a
138      properly filled out Security Contest Template. Once the Exploit
139      has been properly entered it becomes an Issue.
140
141   #. Native Client Issue Tracker: The "Native Client Issue Tracker"
142      is located at
143      http://code.google.com/p/nativeclient/issues/list. It is a web
144      application that manages and maintains a list of Issues,
145      including Issues that are not eligible for contest entry.
146
147   #. Native Client Version Number: The "Native Client Version Number"
148      is defined as the number between the platform name (separated by
149      an '_') and the file extension (separated by a '.') in the
150      Native Client download. For example, if the the filename of the
151      download on the Native Client download page is
152      "nacl_linux_0.1_32_2009_01_16.tgz" or
153      "nacl_windows_0.1_32_2009_01_16.zip", the Version Number is
154      "0.1_32_2009_01_16".
155
156   #. Outer Sandbox: The "Outer Sandbox" means the Native Client
157      security system that 1) observes executables while they are
158      running to detect the attempts at prohibited behavior and 2)
159      terminates misbehaving executables if it observes any attempts
160      to produce prohibited behavior.
161
162   #. Participant: A "Participant" means any individual or team of
163      individuals that has agreed to these Terms, meets the
164      eligibility criteria described below, and is participating in
165      the Contest.
166
167   #. Side Channel Attack: A "Side Channel Attack" means any attack
168      based on information gained as a side-effect of the
169      implementation of a cryptosystem, rather than brute force or
170      theoretical weaknesses in the algorithms. For example, attacks
171      that use timing information, power consumption variation,
172      electromagnetic leaks or sound to obtain information illicitly
173      are side channel attacks. Exploits that are Side Channel Attacks
174      are excluded from the Contest.
175
176   #. Summary: A "Summary" means the final electronic document
177      complying with the requirements of Section X that each
178      Participant must submit in order to participate in the
179      Contest. A Summary may contain up to 10 Issues. If Issues do not
180      ultimately become Verified Issues, they will not be considered
181      as part of the Summary and Participant understands and accepts
182      the risk that if the Participant identified an Issue on a
183      Summary that had not yet been verified, that Issue will not be
184      considered as part of the Summary if not subsequently verified.
185
186   #. Verified Issue: A "Verified Issue" means an Exploit that has
187      been a) submitted to the `Native Client Issue Tracker
188      <http://code.google.com/p/nativeclient/issues/list>`_ in
189      accordance with these Terms, and b) confirmed by the Native
190      Client team at Google to exhibit the behavior described in the
191      Issue report.
192
193#. Eligibility
194
195   The Contest is open to Participants who (1) have agreed to these
196   Terms; (2) who are of or above the legal age of majority, at the
197   time of entry, to form valid contracts in their respective country,
198   province or state of legal residence (and at least the age of 20 in
199   Taiwan); (3) are not residents of Italy, Brazil, Quebec, Cuba,
200   Iran, Syria, North Korea, Sudan, or Myanmar; and (4) who have
201   software development experience. Sponsor reserves the right to
202   verify eligibility and to adjudicate on any dispute at any
203   time. The Contest is void in, and not open to residents of, Italy,
204   Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, Myanmar, or
205   to individuals and entities restricted by U.S. export controls and
206   sanctions, and is void in any other nation, state, or province
207   where prohibited or restricted by U.S. or local law.
208
209   Employees and contractors of Google, affiliates and subsidiaries of
210   Google, the Judges and members of their immediate families (defined
211   as parents, children, siblings and spouse, regardless of where they
212   reside and/or those living in the same household of each) are not
213   eligible to participate in the Contest. Judges may not help any
214   Participant with their submissions and Judges must recuse
215   themselves in cases where they have a conflict of interest that
216   becomes known to the Judge.
217
218#. Registration & Entry Process
219
220   1. All Participants must register at
221      code.google.com/contests/nativeclient-security/ by May 5th, 2009
222      at 11:59:59 Pacific Time. All individuals participating in the
223      Contest (either as an individual Participant or as a member of a
224      team) must provide the following registration information:
225
226      (a) Email Address(es) of the Participant. The first member of a
227          team to register must list the email addresses of all
228          members of the Participant team, and all members must
229          ultimately agree to the Terms as described more fully below.
230
231      (#) Nationality and primary place of residence of the Participant.
232
233      (#) If the Participant is a team, the email address of the team
234          member who is selected to be the recipient of the prize. The
235          first member of the team to register will designate this
236          information in the initial team registration.
237
238      (#) Participant name, which is the team name in the case of a
239          team or the user name chosen by an individual in the case of
240          an individual Participant.
241
242      Failure to fully, completely and accurately provide this
243      information will disqualify the Entry.
244
245   #. Any potential prize recipient may be required to show proof of
246      being the authorized account holder for an email address. The
247      "Authorized Account Holder" is the natural person assigned to an
248      email address by the relevant provider of email services.
249
250   #. Participants that are teams must provide the above registration
251      information for every individual who is a member of the
252      team. Every individual who is part of the team must agree to the
253      Terms in order for the team to be eligible to participate by
254      clicking the "I understand and agree" box (or the equivalent) on
255      the Contest entry webpage. Members of a team will be able to
256      edit the information relating to the team only until the last
257      member of the team has accepted these Terms by clicking the "I
258      understand and agree" box (or the equivalent) on the Contest
259      entry webpage. Issues submitted by members of a team prior to
260      the time that all individual members of the team have clicked
261      the "I understand and agree" box (or the equivalent) will not be
262      valid Issue submissions and will not be eligible entries in the
263      Contest. Google will send an email to all members of the team
264      when the final team member has accepted the terms, however
265      Google will have no liability for failure to send such an email
266      or for the failure of any team member to receive the email.
267
268   #. Issues submitted by Participants who are individuals prior to
269      the time that the individual has clicked the "I understand and
270      agree" box (or the equivalent) will not be valid Issue
271      submissions and will not be eligible entries in the
272      Contest. Google will send an email to the individual when the
273      individual has accepted the terms, however Google will have no
274      liability for failure to send such an email or for the failure
275      of any team member to receive the email.
276
277   #. All entries become the property of Sponsor and will not be
278      acknowledged or returned. Entries are void if they are in whole
279      or part illegible, incomplete, damaged, altered, counterfeit,
280      obtained through fraud, or late.
281
282   #. LIMIT ONE ENTRY PER PERSON. Individuals may only enter one time,
283      whether as an individual Participant or as a team
284      Participant. Google, in its sole discretion, may disqualify any
285      Participant (including team Participants) that it believes has
286      violated this provision.
287
288#. Submission Process
289
290   1. Each Participant must submit:
291
292      (a) At least one Issue in the `Native Client Issue Tracker
293          <http://code.google.com/p/nativeclient/issues/list>`_ that
294          describes an Exploit and includes the information detailed
295          in the "Issues" section below. Any team member can submit an
296          Issue on behalf of the team. All entries will be deemed made
297          by the Authorized Account Holder of the email address
298          submitted at the time of entry.
299
300      (#) One Summary per Participant that includes the information
301          detailed in the "Summary" section below. Participant will be
302          entitled to amend its Summary until the Contest End Date and
303          only the last version will be considered by the Judges.
304
305   #. Each Issue must be written in the English language. Google or
306      the Judges may refuse to review submissions that they deem
307      incomprehensible, include Issues that are not repeatable as
308      determined by Google, or that otherwise do not meet the
309      requirements of these Terms.
310
311   #. To enter an Issue in the `Native Client Issue Tracker
312      <http://code.google.com/p/nativeclient/issues/list>`_, each
313      Participant must use the "Security Contest Template" and provide
314      completely and accurately all information requested by the
315      template. Any Issues that are not entered with the "Security
316      Contest Template" may not be considered by the Judges. Each
317      Issue must contain the items described in the "Issues" section
318      of these Terms.
319
320#. Issues
321
322   1. Minimum requirements for Issues: Participant must identify an
323      Exploit and enter the Exploit into the `Native Client Issue
324      Tracker
325      <http://code.google.com/p/nativeclient/issues/list>`_. Once the
326      Exploit is submitted it becomes an Issue. Each submitted Issue
327      must include (i) the following information and (ii) all
328      additional information requested on the "Security Contest
329      Template":
330
331      (a) The user name (in the case of Individual Participants) or
332          the team name (in the case of team Participants) of the
333          Participant submitting the Issue, which must be identical to
334          the user name or team name submitted during the registration
335          process.
336
337      (#) A gzipped tar archive (with paths relative to
338          nacl/googleclient/native_client/tests/) that contains any
339          instructions and files necessary to reproduce the Exploit,
340          which must include:
341
342          (1) A README.txt file that describes:
343
344              * The version number of current version of Native Client
345                at the time of submission. Issues submitted with a
346                version number listed other than the current version
347                at the time of submission will be invalid;
348
349              * The steps required to reproduce the Exploit;
350
351              * The effect of the Exploit; and
352
353              * Platform requirements for the Exploit, including but
354                not necessarily limited to:
355
356              * browser version;
357
358              * operating system name(s) and version(s); and/or
359
360              * any other platform requirements relevant to the Exploit.
361
362          (#) If the Exploit requires a binary executable, both the
363              source code and binary executable must be provided upon
364              creation of the Issue. Any subsequent updates to the
365              source code or binary executable after the creation of
366              the Issue will not be considered for the purposes of
367              this Contest. The binary executable must build cleanly
368              by executing the command "make" in the exploit directory
369              (e.g. nacl/googleclient/native_client/tests/exploit1).
370
371   #. Verified Issues: In order for an Issue to become a Verified
372      Issue, Google will first examine the submitted Issue to
373      determine whether it complies with the following:
374
375      (a) The Exploit must not contain or depend upon access or use of
376          any third party software or code that Google does not have
377          readily available to it or that would require complying with
378          third party license agreement that Google in its sole
379          discretion deems onerous or burdensome.
380
381      (#) Google must be able to replicate the Exploit in its sole
382          discretion.
383
384      (#) The Exploit must affect at least one "opt-" platform from a
385          standard build of the most recent released version of Native
386          Client as of the time of submission of the Issue for the
387          Exploit.
388
389   #. Timeliness
390
391      (a) If the vulnerability exposed by the submitted Exploit was
392          disclosed in a previously reported Issue (whether or not
393          submitted by a Participant) or in the previously published
394          Native Client release notes, the submission will be invalid
395          for the purposes of this Contest. Two Exploits are
396          considered to expose the same vulnerability if the
397          theoretical patch required to fix one vulnerability also
398          fixes the second vulnerability.
399
400      (#) Google will update the Native Client source code base at
401          most twice per week. These updates, if they occur, will
402          appear Mondays and Thursdays between 3 p.m. and 8
403          p.m. Pacific Time.
404
405      (#) Issues will not be valid if they have been entered before
406          the later of (i) the Contest Start Date or (ii) the time at
407          which all members of a team Participant or the individual
408          Participant, as the case may be, have accepted these Terms.
409
410   #. Excluded Exploits. The following types of Exploits are invalid
411      for the purposes of this Contest:
412
413      * Covert Channel Attacks;
414
415      * Sidechannel Attacks;
416
417      * Exploits requiring a virtualized CPU;
418
419      * Exploits that rely on features, misfeatures or defects of
420        virtual machines (i.e. VMWare, Xen, Parallels etc.);
421
422      * Exploits that require the machine to be previously compromised
423        by malicious software (including but not limited to viruses or
424        malware); and
425
426      * Exploits that rely on hardware failures, other than Exploits
427        which, in Google’s sole judgment, depend on CPU errata but
428        which can be reproduced reliably with a common system
429        configuration and under normal operating conditions, or
430        statistically improbable hardware behaviors. Examples include
431        but are not limited to Exploits that rely on memory errors
432        induced by cosmic radiation, and Exploits that require
433        abnormal heating, cooling or other abnormal physical
434        conditions.
435
436   #. Completeness. Issues submitted that lack any of the above
437      materials or fail to meet any of the above criteria, may not be
438      considered in the judging process at Google's sole
439      discretion. Issues that are not included in a Participant
440      Summary (see section below) will not be considered.
441
442#. Summary
443
444   1. Every Participant must submit a Summary at the `Native Client
445      Issue Tracker
446      <http://code.google.com/p/nativeclient/issues/list>`_ complying
447      with the requirements of this section. The Participant must
448      select no more than 10 of the Verified Issues submitted by the
449      Participant for inclusion on the Summary. Each Summary must be
450      in English and must contain the following information:
451
452      * The Issues must be listed in descending order of severity, as
453        determined by the Participant in accordance with the Judging
454        Criteria.
455       
456      * Each Issue listed in the Summary must be identified by ID
457        number of the Issue. The ID number is the identifying number
458        created for each Issue as listed on the `Native Client Issue
459        Tracker <http://code.google.com/p/nativeclient/issues/list>`_.
460
461      * A description of the effect of each Exploit.
462
463      * The platform requirements of each Exploit.
464
465      * The version number(s) of Native Client software affected by
466        each Exploit (which must be the version number of the Native
467        Client software current at the time the Issue was submitted to
468        the `Native Client Issue Tracker
469        <http://code.google.com/p/nativeclient/issues/list>`_).
470
471      * Any other details about the Exploit and the submission that
472        are relevant to the judging criteria, such as, for example,
473        the approach used in finding the exploits, innovative or
474        scalable techniques used to discover exploits, or
475        architectural analysis.
476
477      * The team name or user name of the Participant. Google may, in
478        its sole discretion, eliminate or disqualify any Summary that
479        lists user names or team names that are not identical to the
480        user name or team name of the Participant listed on the
481        Contest entry form.
482
483   #. Each Summary must be a maximum of 8 pages long, in PDF format
484      viewable with Adobe Reader version 9. The Summary must be
485      formatted for 8.5 inches x11 inches or A4 paper, with a minimum
486      font size of 10 pt. Any submission that does not meet these
487      formatting criteria may be disqualified at the sole discretion
488      of Google.
489
490   #. All Issues listed in the Summary will be verified by Google
491      before submission of the Summary to the Judges after the Contest
492      Closing Date. Participants may submit or resubmit their Summary
493      at any time during the duration of the Contest, however, the
494      Judges will consider only the last Summary from each Participant
495      prior to the Contest Closing Date and ignore all other Summaries
496      previously submitted by the Participant.
497
498#. Judging
499
500   1. After the Contest End Date and on or about May 15th, 2009, all
501      submitted Summaries will be judged by one of at least three
502      panels with a minimum of three experts in the field of online
503      security ("Judges") on each panel. Judges will evaluate each
504      Summary in accordance with the Judging Criteria described
505      below. Each panel will evaluate a number of the submitted
506      Summaries using the Judging Criteria described below and will
507      select the highest ranking Summaries to move to the next level
508      of judging. During the first round of judging, each panel will
509      select no more than ten Summaries to move forward to the second
510      round of judging unless there is a tie between or among any
511      Participants. During the second round of judging, those
512      Summaries selected during the first round of judging will then
513      be evaluated by all Judges using the below Judging Criteria and
514      the top five Summaries will be selected as potential
515      winners. All decisions of the Judges are final and binding.
516
517   #. Judging Criteria. The Judges will consider each Summary under
518      following judging criteria ("Judging Criteria"):
519
520      (a) Quality of Exploit. Quality will be decided by the Judges in
521          their sole discretion and will be based on (in order of
522          importance to the Judges) Severity, Scope, Reliability and
523          Style.
524
525          (i) Severity: the more disruptive the effects of the
526              Exploit, the higher its quality. Here is a
527              non-exhaustive ranking of the most common Exploits
528              starting from 'minor' to 'severe':
529
530              * Browser crash;
531
532              * Denial of service or machine crash;
533
534              * Compromise of the Outer Sandbox;
535
536              * Information leak (such as of a cookie or password);
537
538              * Compromise of both the Inner and Outer Sandbox; and/or
539
540              * Prohibited side effect (such as reading or writing
541                files to the client machine), escalation of privilege
542                (such as executing other programs outside of Native
543                Client).
544
545              Any Exploit that does not address the above elements
546              will be evaluated on a case-by-case basis and the
547              severity of such Exploits will be determined solely at
548              the Judge’s discretion.
549
550          (#) Scope: the more computers that an Exploit would
551              potentially affect, the bigger its scope and therefore
552              higher the quality of the Exploit. Consider the
553              following:
554
555              * Exploits that affect all platforms supported by Native
556                Client (where platform is defined as a browser,
557                operating system and hardware combination) have higher
558                quality than an Exploit specific to a particular
559                platform.
560
561              * Exploits that require non-current or beta versions
562                (historic or future) of hardware or software are lower
563                quality.
564
565              * Exploits that rely on concurrent usage of other
566                installed software or web content must make a
567                compelling case about the likelihood of the
568                prerequisite software or content being present, or
569                they will be considered of lower quality.
570
571          (#) Reliability: The more frequent or probable the
572              occurrence identified by the Exploit, the more
573              "reliable" it may be. Consider the following:
574
575              * Exploits that require uncommon software to be
576                installed on the machine in order to function will be
577                deemed to have lower quality.
578
579              * Entries that include Exploits that cannot be
580                reproduced 100% of the time, but which can be
581                reproduced a significant percentage of the time, will
582                be deemed to have a lower quality to account for a
583                lowered probability that the attack will succeed.
584
585          (#) Style: Submissions that demonstrate exceptional style
586              will receive a higher ranking. Factors that contribute
587              to style include:
588
589              * Ingenuity in mechanism used to bypass security;
590
591              * Uniqueness of the Exploit;
592
593              * Ingenuity in methods used to discover vulnerabilities;
594                and/or Minimal size of Exploit to achieve the effect.
595
596      (#) the Quantity of Exploits: Participants that submit more
597          Exploits in their Summary (but no more than 10) may receive
598          a higher ranking, weighted by quality. However, it is still
599          possible that a Participant who submits one Exploit could
600          still outweigh a Participant that submits several Exploits.
601
602      Considering each of the factors described above, the Judges will
603      give each Summary a "Score" from 1-10 that represents the Judges
604      evaluation of the Summary. This "score" will determine which
605      participants move from the first round of judging to the second
606      round of judging, and which participants will be selected as a
607      winner.
608
609   #. Winner Selection
610
611      Judges will review the Summaries as discussed in the "Judging"
612      section, above. The Summaries with the five (5) highest scores
613      will be selected as potentially winning Participants. In the
614      event of a tie ranking for two or more Summaries, the
615      Participant whose Summary had the highest ranking for "Severity"
616      will receive the higher prize. In the event of a second tie, the
617      Participant whose Summary had the highest ranking for "Scope"
618      will receive the higher prize. Odds of winning depend on the
619      number of eligible entries received and the skill of the
620      Participants.
621
622      The Judges are under no obligation to provide feedback on their
623      decisions or on their judgment on specific Exploits they
624      consider.
625
626   #. Team Winners
627
628      A special note about the prize distribution process for
629      Participants who are entering as part of a team:
630
631      A single member of each team shall be designated to receive the
632      prize, if any, awarded to such team at the initial registration
633      of the team, and Google shall have no responsibility for
634      distribution of the prize among the team members.
635
636      Each individual that enters as part of a team, understands and
637      agrees that if his/her team is selected to receive a prize, the
638      team is responsible for ensuring the funds are appropriately
639      distributed to each member of the team. In addition, once a team
640      has registered, the team may not add, remove, or substitute any
641      members or otherwise change the composition of the team for the
642      duration of the Contest. If any member of a team does not comply
643      with these Terms, is ineligible or is disqualified, the team as
644      a whole may be disqualified in Google’s sole discretion.
645
646#. Prizes
647
648   1. Information Required for Eligibility
649
650      (a) On or about May 15th 2009 and upon selection of potential
651          winners, Google will contact all winning Participants using
652          the email addresses submitted at registration. In order to
653          win the Contest and receive prizes, Participants, including
654          each individual on a team, must provide additional
655          information including:
656
657          * first and last name;
658
659          * address;
660
661          * phone number; and
662
663          * all other necessary information required by the US tax and
664            legal authorities and /or the authorities of the countries
665            they reside in.
666
667      (#) All Participants will need to verify their identity with
668          Google, before receiving their prize; however, Participants
669          may provide an alias for use in any public documentation and
670          marketing material issued publicly by Google, subject to
671          limitations of the law and as required by law
672          enforcement. Please be aware that in some jurisdictions, a
673          list of winners must be made available and your name, and
674          not the alias, will be provided on that list. If a
675          Participant, or in the case of a team, any individual member
676          of the team, refuses or fails to provide the necessary
677          information to Google within 14 days of the Contest
678          administrators' request for the required information, then
679          Google may, in its sole discretion, disqualify the
680          Participant's entry and select as an alternative potential
681          winner the Participant with the next highest overall
682          ranking. Google will not be held responsible for any failure
683          of potential winners to receive notification that they are
684          potential winners. Except where prohibited by law, each
685          potential winner may be required to sign and return a
686          Declaration of Eligibility, Liability & Publicity Release
687          and Release of Rights and provide any additional information
688          that may be required by Google. If required, potential
689          winners must return all such required documents within 14
690          calendar days following attempted notification or such
691          potential winner will be deemed to have forfeited the prize
692          and Google will select the Participant with the next highest
693          overall ranking as the potential winner.
694
695      (#) Prizes will be awarded within 6 months after the Contest End Date.
696
697      (#) If fewer than 5 Participants or teams are found eligible,
698          fewer than 5 winners will be selected.
699
700      (#) Prizes are not transferable or substitutable, except by
701          Google in its sole discretion in the event a prize becomes
702          unavailable for any reason. In such an instance, Google will
703          award a prize of equal or greater value.
704
705      (#) LIMIT: Only one prize per Participant.
706
707   #. Prize Amounts and Announcement
708
709      Provided that the Participant has complied with these Terms,
710      eligible Participants that are ranked in the top 5 positions of
711      the competition by Judges will receive the following awards in
712      U.S. Dollars based on their rank: 1st prize: $8,192.00, 2nd
713      prize: $4,096.00, 3rd prize: $2,048.00, 4th prize: $1,024.00,
714      5th prize: $1,024.00. Winning Entries will be announced on or
715      about December 7th.
716
717   #. Distribution of a Prize
718
719      Google is not responsible for any division or distribution of
720      the prizes among or between team members. Distribution or
721      division of the prize among individual team members is the sole
722      responsibility of the participating team. Google will award the
723      prize only to the one (1) member of the team, who was identified
724      by the Participant to receive the prize as part of the
725      registration process. Google will attempt to reach only the
726      designated recipient for purposes of distribution of the prize.
727
728      Prizes are awarded without warranty of any kind from Google,
729      express or implied, without limitation, except where this would
730      be contrary to federal, state, provincial, or local laws or
731      regulations. All federal, state, provincial and local laws and
732      regulations apply.
733
734   #. Taxes
735
736      Payments to potential prize winners are subject to the express
737      requirement that they submit to Google all documentation
738      requested by Google to permit it to comply with all applicable
739      US, state, local and foreign (including provincial) tax
740      reporting and withholding requirements. All prizes will be net
741      of any taxes Google is required by law to withhold. All taxes
742      imposed on the prize are the sole responsibility of the prize
743      recipient.
744
745      In order to receive a prize, potential prize recipients must
746      submit the tax documentation requested by Google or otherwise
747      required by applicable law, to Google or the relevant tax
748      authority, all as determined by applicable law, including, where
749      relevant, the law of the potential prize recipient's country of
750      residence. The potential prize recipient is responsible for
751      ensuring that (s)he complies with all the applicable tax laws
752      and filing requirements. If a potential prize recipient fails to
753      provide such documentation or comply with such laws, the prize
754      may be forfeited and Google may, in its sole discretion, select
755      an alternative potential prize recipient.
756
757#. General Conditions
758
759   1. Right to Disqualify. A Participant may be prohibited from
760      participating in or be disqualified from this Contest if, in
761      Google's sole discretion, it reasonably believes that the
762      Participant or any member of a Participant team has attempted to
763      undermine the legitimate operation of the Contest by cheating,
764      deception, or other unfair playing practices or annoys, abuses,
765      threatens or harasses any other Participants, Google, or the
766      Judges. Google further reserves the right to disqualify any
767      Issue that it believes in its sole and unfettered discretion
768      infringes upon or violates the rights of any third party,
769      otherwise does not comply with these Terms, or violates U.S. or
770      applicable local law in Participant's country of residence.
771
772      Google further reserves the right to disqualify any Participant
773      who tampers with the submission process or any other part of the
774      Contest. Any attempt by a Participant to deliberately damage any
775      web site or undermine the legitimate operation of the Contest is
776      a violation of criminal and civil laws and should such an
777      attempt be made, Google reserves the right to seek damages from
778      any such Participant to the fullest extent of the applicable
779      law.
780
781   #. Internet Disclaimer. Google is not responsible for any
782      malfunction of the entire Contest, the web site displaying the
783      Contest terms and entry information, or any late, lost, damaged,
784      misdirected, incomplete, illegible, undeliverable, or destroyed
785      Exploits, Issues or Summaries due to system errors, failed,
786      incomplete or garbled computer or other telecommunication
787      transmission malfunctions, hardware or software failures of any
788      kind, lost or unavailable network connections, typographical or
789      system/human errors and failures, technical malfunction(s) of
790      any telephone network or lines, cable connections, satellite
791      transmissions, servers or providers, or computer equipment,
792      traffic congestion on the Internet or at the web site displaying
793      the Contest or any combination thereof, including other
794      telecommunication, cable, digital or satellite malfunctions
795      which may limit an entrant’s ability to participate. Google is
796      not responsible for availability of the `Native Client Issue
797      Tracker <http://code.google.com/p/nativeclient/issues/list>`_
798      from your preferred point of Internet access. In the event of a
799      technical disruption, Google may, in its sole discretion, extend
800      the Contest End Date for a reasonable period. Google will
801      attempt to notify Participants of any such extension by email at
802      the email address in the registration information, but shall
803      have no liability for any failure of such notification.
804
805   #. Exploits Independently Discovered by Google. You acknowledge and
806      understand that Google may discover Exploits independently that
807      may be similar to or identical to your Issues in terms of
808      function, vulnerability, or in other respects. You agree that
809      you will not be entitled to any rights in, or compensation in
810      connection with, any such similar or identical applications
811      and/or ideas. You acknowledge that you have submitted your entry
812      voluntarily and not in confidence or in trust.
813
814   #. No Contract for Employment. You acknowledge that no
815      confidential, fiduciary, agency or other relationship or
816      implied-in-fact contract now exists between you and Google and
817      that no such relationship is established by your submission of
818      an entry to Google in this Contest. Under no circumstances shall
819      the submission of an entry in the Contest, the awarding of a
820      prize, or anything in these Terms be construed as an offer or
821      contract of employment with Google.
822
823   #. Intellectual Property Rights and License. Participants warrant
824      that their Exploit and Summary are their own original work and,
825      as such, they are the sole and exclusive owner and rights holder
826      of the submitted Exploit and Summary and that they have the
827      right to submit the Exploit and Summary in the Contest and grant
828      all required licenses. Each Participant agrees not to submit any
829      Exploit and Summary that (a) infringes any third party
830      proprietary rights, intellectual property rights, industrial
831      property rights, personal or moral rights or any other rights,
832      including without limitation, copyright, trademark, patent,
833      trade secret, privacy, publicity or confidentiality obligations;
834      or (b) otherwise violates the applicable state, federal,
835      provincial or local law.
836
837      As between Google and the Participant, the Participant retains
838      ownership of all intellectual and industrial property rights in
839      and to the Issues and Summary that Participant created. As a
840      condition of entry, Participant grants Google a perpetual,
841      irrevocable, worldwide, royalty-free, and non-exclusive license
842      to use, reproduce, publicly perform, publicly display,
843      distribute, sublicense and create a derivative work from, any
844      Issue or Summary that Participant submits to this Contest for
845      the purposes of allowing Google to test, evaluate and fix or
846      remedy the Issue and Summary for purposes of the Contest and
847      modifying or improving the Native Client software or any other
848      current or future Google product or service.
849
850      Participant also grants Google the right to reproduce and
851      distribute the Issue and the Summary. In addition, Participant
852      specifically agrees that Google shall have the right to use,
853      reproduce, publicly perform, and publicly display the Issue and
854      Summary in connection with the advertising and promotion of the
855      Native Client software or any other current or future Google
856      product or service via communication to the public or other
857      groups, including, but not limited to, the right to make
858      screenshots, animations and video clips available for
859      promotional purposes.
860
861   #. Privacy. Participants agree that personal data provided to
862      Google during the Contest, including name, mailing address,
863      phone number, and email address may be processed, stored, and
864      otherwise used for the purposes and within the context of the
865      Contest. This data will be maintained in accordance with the
866      Google Privacy Policy found at
867      http://www.google.com/privacypolicy.html. This data will also be
868      transferred into the United States. By entering, Participants
869      agree to the transmission, processing, and storage of this
870      personal data in the United States.
871
872      Participants also understand this data may be used by Google in
873      order to verify a Participant's identity, postal address and
874      telephone number in the event a Participant qualifies for a
875      prize. Participants have the right to access, review, rectify or
876      cancel any personal data held by Google in connection with the
877      Contest by writing to Google at the address listed below in the
878      section entitled "Winner’s List."
879
880      For residents of the European Union:
881
882      Pursuant to EU law pertaining to data collection and processing,
883      you are informed that:
884
885      * The data controller is Google and the data recipients are
886        Google and its agents;
887
888      * Your data is collected for purposes of administration of the
889        Native Client Security Contest;
890
891      * You have a right of access to and withdrawal of your personal
892        data. You also have a right of opposition to the data
893        collection, under certain circumstances. To exercise such
894        right, You may write to: Native Client Security Contest,
895        Google Inc., 1600 Amphitheater Parkway, Mountain View, CA
896        94043, USA.
897
898      * Your personal data will be transferred to the U.S.
899
900   #. Indemnity. To the maximum extent permitted by law, each
901      Participant indemnifies and agrees to keep indemnified Google
902      and Judges at all times from and against any liability, claims,
903      demands, losses, damages, costs and expenses resulting from any
904      act, default or omission of the Participant and/or a breach of
905      any warranty set forth herein. To the maximum extent permitted
906      by law, each Participant agrees to defend, indemnify and hold
907      harmless Google, its affiliates and their respective directors,
908      officers, employees and agents from and against any and all
909      claims, actions, suits or proceedings, as well as any and all
910      losses, liabilities, damages, costs and expenses (including
911      reasonable attorneys fees) arising out of or accruing from:
912
913      (a) any material uploaded or otherwise provided by the
914          Participant that infringes any copyright, trademark, trade
915          secret, trade dress, patent or other intellectual property
916          right of any person or defames any person or violates their
917          rights of publicity or privacy,
918
919      (b) any misrepresentation made by the Participant in connection
920          with the Contest;
921
922      (c) any non-compliance by the Participant with these Terms; and
923
924      (d) claims brought by persons or entities other than the parties
925          to these Terms arising from or related to the Participant's
926          involvement with the Contest.
927
928      To the extent permitted by law, Participant agrees to hold
929      Google, its respective directors, officers, employees and
930      assigns harmless for any injury or damage caused or claimed to
931      be caused by participation in the Contest and/or use or
932      acceptance of any prize, except to the extent that any death or
933      personal injury is caused by the negligence of Google.
934
935   #. Elimination. Any false information provided within the context
936      of the Contest by any Participant including information
937      concerning identity, mailing address, telephone number, email
938      address, or ownership of right, or non-compliance with these
939      Terms or the like may result in the immediate elimination of the
940      Participant from the Contest. In the event an individual who is
941      a member of a team supplies information that is covered by this
942      section, the entire team shall be disqualified.
943
944   #. Right to Cancel. If for any reason the Contest is not capable of
945      running as planned, including infection by computer virus, bugs,
946      tampering, unauthorized intervention, fraud, technical failures,
947      or any other causes which corrupt or affect the administration,
948      security, fairness, integrity, or proper conduct of the Contest,
949      Google reserves the right at its sole discretion to cancel,
950      terminate, modify or suspend the Contest.
951
952   #. Forum and Recourse to Judicial Procedures. These Terms shall be
953      governed by, subject to, and construed in accordance with the
954      laws of the State of California, United States of America,
955      excluding all conflict of law rules. If any provision(s) of
956      these Terms are held to be invalid or unenforceable, all
957      remaining provisions hereof will remain in full force and
958      effect. To the extent permitted by law, the rights to litigate,
959      seek injunctive relief or make any other recourse to judicial or
960      any other procedure in case of disputes or claims resulting from
961      or in connection with this Contest are hereby excluded, and all
962      Participants expressly waive any and all such rights.
963
964   #. Arbitration. By entering the Contest, you agree that exclusive
965      jurisdiction for any dispute, claim, or demand related in any
966      way to the Contest will be decided by binding arbitration. All
967      disputes between you and Google, of whatsoever kind or nature
968      arising out of these Terms, shall be submitted to Judicial
969      Arbitration and Mediation Services, Inc. ("JAMS") for binding
970      arbitration under its rules then in effect in the San Jose,
971      California, USA area, before one arbitrator to be mutually
972      agreed upon by both parties. The parties agree to share equally
973      in the arbitration costs incurred.
974
975   #. Winner List
976
977      You may request a list of winners after December 7th, 2009 by
978      writing to:
979
980      | Native Client Security Contest
981      | Google Inc.
982      | 1600 Amphitheater Parkway
983      | Mountain View, CA 94043
984      | USA
985
986      (Residents of Vermont need not supply postage).
987