contest-terms.rst revision 4e180b6a0b4720a9b8e9e959a882386f690f08ff
1.. _contest_terms: 2 3##################################### 4Security Contest Terms and Conditions 5##################################### 6 7.. contents:: 8 :local: 9 :backlinks: none 10 :depth: 2 11 12.. include:: contest-warning.txt 13 14.. Note:: 15 :class: warning 16 17 This has been reformatted from the original, and the enumeration 18 list numbering style differs from the original document. 19 20NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST 21IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA 22AND WORLDWIDE, EXCEPT FOR ITALY, BRAZIL, QUEBEC, CUBA, IRAN, SYRIA, 23NORTH KOREA, SUDAN AND MYANMAR. 24 25ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS AND 26CONDITIONS. 27 28I. Binding Agreement 29 30 In order to enter the Native Client Security Contest ("Contest"), 31 you must agree to these Terms and Conditions ("Terms"). Therefore, 32 please read these Terms prior to entry to ensure you understand and 33 agree. You agree that submission of an entry in the Contest 34 constitutes your agreement to these Terms. After reading the Terms 35 and in order to participate, each Participant (as defined below) 36 must complete the registration form, clicking the "I understand and 37 agree" box (or the equivalent), on the Contest entry webpage. Once 38 the Participant clicks the "I understand and agree" box (or the 39 equivalent), the Terms form a binding legal agreement between each 40 Participant and Google with respect to the Contest. 41 42 Participants may not submit an Exploit, Issue or Summary to the 43 Contest and are not eligible to receive the prizes described in 44 these Terms unless they agree to these Terms. If a Participant is 45 part of a team, each member of the team must read and agree to 46 these Terms and click on the "I understand and agree" box (or the 47 equivalent) described herein. Failure of any member of a team to 48 agree to these Terms and click on the "I understand and agree" box 49 (or the equivalent) described herein will disqualify the entire 50 team. 51 52 By entering, Participant warrants that Participant has not violated 53 any employment agreement or other restriction imposed by his or her 54 employer by participating in this Contest. 55 56#. Description 57 58 The Contest is organized by Google and is designed to motivate the 59 developer community to identify and report security Exploits (as 60 defined below) on Google’s Native Client software and reward those 61 developers who identify one or more security Exploits that are 62 evaluated as a winning exploit by the Judges. 63 64 Once a Participant has registered for the Contest, the Participant 65 will be asked to identify security Exploits in Google’s Native 66 Client Software and enter those Exploits on Google’s `Native Client 67 Issue Tracker <http://code.google.com/p/nativeclient/issues/list>`_ 68 web site using the "Security Contest Template." At this point, the 69 Exploit will become an Issue and will no longer be able to be 70 identified by another Participant. Google will then verify that the 71 Issue is reproducible. If so, that Issue will become a Verified 72 Issue. Finally, the Participant will submit a Summary of up to his 73 or her top ten best Issues that were submitted on the `Native 74 Client Issue Tracker 75 <http://code.google.com/p/nativeclient/issues/list>`_. Since it is 76 possible that an Issue may not be verified until after the Contest 77 End Date, if a Participant includes such an Issue in their Summary 78 and such Issue is not ultimately verified, then that Issue will not 79 be considered to be part of the Summary. 80 81 Prizes will be awarded to those Participants who submit the best 82 Summaries as determined in the sole discretion of the Judges when 83 considering the Judging Criteria described herein. 84 85#. Sponsor 86 87 The Contest is sponsored by Google Inc. ("Google" or "Sponsor"), a 88 Delaware corporation with its principal place of business at 1600 89 Amphitheater Parkway, Mountain View, CA, 94043, USA. 90 91#. Term 92 93 The Contest begins at 9:00:00 A.M. Pacific Time (PT) Zone in the 94 United States on Februrary 25th, 2009 ("Contest Start Date") and 95 ends at 11:59:59 P.M. PT on May 5th, 2009 ("Contest End 96 Date"). Participants must register by May 5th, 2009 at 11:59:59 97 Pacific Time to be eligible to participate. ENTRANTS ARE 98 RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR 99 RESPECTIVE JURISDICTIONS. 100 101#. Definitions 102 103 Throughout these Terms, Google will use the following defined terms 104 and words. Please review them carefully to ensure you understand. 105 106 1. Covert Channel Attack: A "Covert Channel Attack" means an 107 attempt to manipulate certain properties of a communications 108 medium in an unexpected, unconventional, or unforeseen way in 109 order to transmit information through the medium without 110 detection by anyone other than the entities operating the covert 111 channel. Exploits that are Covert Channel Attacks are excluded 112 from the Contest. 113 114 #. Exploit: An "Exploit" means a sequence of steps that require and 115 use Native Client to produce or have the potential to produce 116 behavior prohibited by Native Client's security policies and 117 design which can be found at 118 http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html. 119 Google reserves the right to modify the security policies and 120 design at any time. An example of an Exploit would be producing 121 file system or network access outside of the scope of 122 permissible use via JavaScript in a browser. An Exploit that 123 defeats one but not all Native Client security measures is still 124 considered to produce behavior prohibited by Native Client's 125 security policies for the purposes of this Contest and would be 126 entitled to be identified as an Exploit in the Contest. 127 128 #. Inner Sandbox: The "Inner Sandbox" means the Native Client 129 security system that a) inspects executables before running them 130 to try to detect the potential for an executable to produce 131 prohibited behavior, and b) prevents from running any 132 executables that are detected to have the potential to produce 133 prohibited behavior. 134 135 #. Issue: An "Issue" means an entry of a single Exploit by a 136 Participant into the `Native Client Issue Tracker 137 <http://code.google.com/p/nativeclient/issues/list>`_ using a 138 properly filled out Security Contest Template. Once the Exploit 139 has been properly entered it becomes an Issue. 140 141 #. Native Client Issue Tracker: The "Native Client Issue Tracker" 142 is located at 143 http://code.google.com/p/nativeclient/issues/list. It is a web 144 application that manages and maintains a list of Issues, 145 including Issues that are not eligible for contest entry. 146 147 #. Native Client Version Number: The "Native Client Version Number" 148 is defined as the number between the platform name (separated by 149 an '_') and the file extension (separated by a '.') in the 150 Native Client download. For example, if the the filename of the 151 download on the Native Client download page is 152 "nacl_linux_0.1_32_2009_01_16.tgz" or 153 "nacl_windows_0.1_32_2009_01_16.zip", the Version Number is 154 "0.1_32_2009_01_16". 155 156 #. Outer Sandbox: The "Outer Sandbox" means the Native Client 157 security system that 1) observes executables while they are 158 running to detect the attempts at prohibited behavior and 2) 159 terminates misbehaving executables if it observes any attempts 160 to produce prohibited behavior. 161 162 #. Participant: A "Participant" means any individual or team of 163 individuals that has agreed to these Terms, meets the 164 eligibility criteria described below, and is participating in 165 the Contest. 166 167 #. Side Channel Attack: A "Side Channel Attack" means any attack 168 based on information gained as a side-effect of the 169 implementation of a cryptosystem, rather than brute force or 170 theoretical weaknesses in the algorithms. For example, attacks 171 that use timing information, power consumption variation, 172 electromagnetic leaks or sound to obtain information illicitly 173 are side channel attacks. Exploits that are Side Channel Attacks 174 are excluded from the Contest. 175 176 #. Summary: A "Summary" means the final electronic document 177 complying with the requirements of Section X that each 178 Participant must submit in order to participate in the 179 Contest. A Summary may contain up to 10 Issues. If Issues do not 180 ultimately become Verified Issues, they will not be considered 181 as part of the Summary and Participant understands and accepts 182 the risk that if the Participant identified an Issue on a 183 Summary that had not yet been verified, that Issue will not be 184 considered as part of the Summary if not subsequently verified. 185 186 #. Verified Issue: A "Verified Issue" means an Exploit that has 187 been a) submitted to the `Native Client Issue Tracker 188 <http://code.google.com/p/nativeclient/issues/list>`_ in 189 accordance with these Terms, and b) confirmed by the Native 190 Client team at Google to exhibit the behavior described in the 191 Issue report. 192 193#. Eligibility 194 195 The Contest is open to Participants who (1) have agreed to these 196 Terms; (2) who are of or above the legal age of majority, at the 197 time of entry, to form valid contracts in their respective country, 198 province or state of legal residence (and at least the age of 20 in 199 Taiwan); (3) are not residents of Italy, Brazil, Quebec, Cuba, 200 Iran, Syria, North Korea, Sudan, or Myanmar; and (4) who have 201 software development experience. Sponsor reserves the right to 202 verify eligibility and to adjudicate on any dispute at any 203 time. The Contest is void in, and not open to residents of, Italy, 204 Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, Myanmar, or 205 to individuals and entities restricted by U.S. export controls and 206 sanctions, and is void in any other nation, state, or province 207 where prohibited or restricted by U.S. or local law. 208 209 Employees and contractors of Google, affiliates and subsidiaries of 210 Google, the Judges and members of their immediate families (defined 211 as parents, children, siblings and spouse, regardless of where they 212 reside and/or those living in the same household of each) are not 213 eligible to participate in the Contest. Judges may not help any 214 Participant with their submissions and Judges must recuse 215 themselves in cases where they have a conflict of interest that 216 becomes known to the Judge. 217 218#. Registration & Entry Process 219 220 1. All Participants must register at 221 code.google.com/contests/nativeclient-security/ by May 5th, 2009 222 at 11:59:59 Pacific Time. All individuals participating in the 223 Contest (either as an individual Participant or as a member of a 224 team) must provide the following registration information: 225 226 (a) Email Address(es) of the Participant. The first member of a 227 team to register must list the email addresses of all 228 members of the Participant team, and all members must 229 ultimately agree to the Terms as described more fully below. 230 231 (#) Nationality and primary place of residence of the Participant. 232 233 (#) If the Participant is a team, the email address of the team 234 member who is selected to be the recipient of the prize. The 235 first member of the team to register will designate this 236 information in the initial team registration. 237 238 (#) Participant name, which is the team name in the case of a 239 team or the user name chosen by an individual in the case of 240 an individual Participant. 241 242 Failure to fully, completely and accurately provide this 243 information will disqualify the Entry. 244 245 #. Any potential prize recipient may be required to show proof of 246 being the authorized account holder for an email address. The 247 "Authorized Account Holder" is the natural person assigned to an 248 email address by the relevant provider of email services. 249 250 #. Participants that are teams must provide the above registration 251 information for every individual who is a member of the 252 team. Every individual who is part of the team must agree to the 253 Terms in order for the team to be eligible to participate by 254 clicking the "I understand and agree" box (or the equivalent) on 255 the Contest entry webpage. Members of a team will be able to 256 edit the information relating to the team only until the last 257 member of the team has accepted these Terms by clicking the "I 258 understand and agree" box (or the equivalent) on the Contest 259 entry webpage. Issues submitted by members of a team prior to 260 the time that all individual members of the team have clicked 261 the "I understand and agree" box (or the equivalent) will not be 262 valid Issue submissions and will not be eligible entries in the 263 Contest. Google will send an email to all members of the team 264 when the final team member has accepted the terms, however 265 Google will have no liability for failure to send such an email 266 or for the failure of any team member to receive the email. 267 268 #. Issues submitted by Participants who are individuals prior to 269 the time that the individual has clicked the "I understand and 270 agree" box (or the equivalent) will not be valid Issue 271 submissions and will not be eligible entries in the 272 Contest. Google will send an email to the individual when the 273 individual has accepted the terms, however Google will have no 274 liability for failure to send such an email or for the failure 275 of any team member to receive the email. 276 277 #. All entries become the property of Sponsor and will not be 278 acknowledged or returned. Entries are void if they are in whole 279 or part illegible, incomplete, damaged, altered, counterfeit, 280 obtained through fraud, or late. 281 282 #. LIMIT ONE ENTRY PER PERSON. Individuals may only enter one time, 283 whether as an individual Participant or as a team 284 Participant. Google, in its sole discretion, may disqualify any 285 Participant (including team Participants) that it believes has 286 violated this provision. 287 288#. Submission Process 289 290 1. Each Participant must submit: 291 292 (a) At least one Issue in the `Native Client Issue Tracker 293 <http://code.google.com/p/nativeclient/issues/list>`_ that 294 describes an Exploit and includes the information detailed 295 in the "Issues" section below. Any team member can submit an 296 Issue on behalf of the team. All entries will be deemed made 297 by the Authorized Account Holder of the email address 298 submitted at the time of entry. 299 300 (#) One Summary per Participant that includes the information 301 detailed in the "Summary" section below. Participant will be 302 entitled to amend its Summary until the Contest End Date and 303 only the last version will be considered by the Judges. 304 305 #. Each Issue must be written in the English language. Google or 306 the Judges may refuse to review submissions that they deem 307 incomprehensible, include Issues that are not repeatable as 308 determined by Google, or that otherwise do not meet the 309 requirements of these Terms. 310 311 #. To enter an Issue in the `Native Client Issue Tracker 312 <http://code.google.com/p/nativeclient/issues/list>`_, each 313 Participant must use the "Security Contest Template" and provide 314 completely and accurately all information requested by the 315 template. Any Issues that are not entered with the "Security 316 Contest Template" may not be considered by the Judges. Each 317 Issue must contain the items described in the "Issues" section 318 of these Terms. 319 320#. Issues 321 322 1. Minimum requirements for Issues: Participant must identify an 323 Exploit and enter the Exploit into the `Native Client Issue 324 Tracker 325 <http://code.google.com/p/nativeclient/issues/list>`_. Once the 326 Exploit is submitted it becomes an Issue. Each submitted Issue 327 must include (i) the following information and (ii) all 328 additional information requested on the "Security Contest 329 Template": 330 331 (a) The user name (in the case of Individual Participants) or 332 the team name (in the case of team Participants) of the 333 Participant submitting the Issue, which must be identical to 334 the user name or team name submitted during the registration 335 process. 336 337 (#) A gzipped tar archive (with paths relative to 338 nacl/googleclient/native_client/tests/) that contains any 339 instructions and files necessary to reproduce the Exploit, 340 which must include: 341 342 (1) A README.txt file that describes: 343 344 * The version number of current version of Native Client 345 at the time of submission. Issues submitted with a 346 version number listed other than the current version 347 at the time of submission will be invalid; 348 349 * The steps required to reproduce the Exploit; 350 351 * The effect of the Exploit; and 352 353 * Platform requirements for the Exploit, including but 354 not necessarily limited to: 355 356 * browser version; 357 358 * operating system name(s) and version(s); and/or 359 360 * any other platform requirements relevant to the Exploit. 361 362 (#) If the Exploit requires a binary executable, both the 363 source code and binary executable must be provided upon 364 creation of the Issue. Any subsequent updates to the 365 source code or binary executable after the creation of 366 the Issue will not be considered for the purposes of 367 this Contest. The binary executable must build cleanly 368 by executing the command "make" in the exploit directory 369 (e.g. nacl/googleclient/native_client/tests/exploit1). 370 371 #. Verified Issues: In order for an Issue to become a Verified 372 Issue, Google will first examine the submitted Issue to 373 determine whether it complies with the following: 374 375 (a) The Exploit must not contain or depend upon access or use of 376 any third party software or code that Google does not have 377 readily available to it or that would require complying with 378 third party license agreement that Google in its sole 379 discretion deems onerous or burdensome. 380 381 (#) Google must be able to replicate the Exploit in its sole 382 discretion. 383 384 (#) The Exploit must affect at least one "opt-" platform from a 385 standard build of the most recent released version of Native 386 Client as of the time of submission of the Issue for the 387 Exploit. 388 389 #. Timeliness 390 391 (a) If the vulnerability exposed by the submitted Exploit was 392 disclosed in a previously reported Issue (whether or not 393 submitted by a Participant) or in the previously published 394 Native Client release notes, the submission will be invalid 395 for the purposes of this Contest. Two Exploits are 396 considered to expose the same vulnerability if the 397 theoretical patch required to fix one vulnerability also 398 fixes the second vulnerability. 399 400 (#) Google will update the Native Client source code base at 401 most twice per week. These updates, if they occur, will 402 appear Mondays and Thursdays between 3 p.m. and 8 403 p.m. Pacific Time. 404 405 (#) Issues will not be valid if they have been entered before 406 the later of (i) the Contest Start Date or (ii) the time at 407 which all members of a team Participant or the individual 408 Participant, as the case may be, have accepted these Terms. 409 410 #. Excluded Exploits. The following types of Exploits are invalid 411 for the purposes of this Contest: 412 413 * Covert Channel Attacks; 414 415 * Sidechannel Attacks; 416 417 * Exploits requiring a virtualized CPU; 418 419 * Exploits that rely on features, misfeatures or defects of 420 virtual machines (i.e. VMWare, Xen, Parallels etc.); 421 422 * Exploits that require the machine to be previously compromised 423 by malicious software (including but not limited to viruses or 424 malware); and 425 426 * Exploits that rely on hardware failures, other than Exploits 427 which, in Google’s sole judgment, depend on CPU errata but 428 which can be reproduced reliably with a common system 429 configuration and under normal operating conditions, or 430 statistically improbable hardware behaviors. Examples include 431 but are not limited to Exploits that rely on memory errors 432 induced by cosmic radiation, and Exploits that require 433 abnormal heating, cooling or other abnormal physical 434 conditions. 435 436 #. Completeness. Issues submitted that lack any of the above 437 materials or fail to meet any of the above criteria, may not be 438 considered in the judging process at Google's sole 439 discretion. Issues that are not included in a Participant 440 Summary (see section below) will not be considered. 441 442#. Summary 443 444 1. Every Participant must submit a Summary at the `Native Client 445 Issue Tracker 446 <http://code.google.com/p/nativeclient/issues/list>`_ complying 447 with the requirements of this section. The Participant must 448 select no more than 10 of the Verified Issues submitted by the 449 Participant for inclusion on the Summary. Each Summary must be 450 in English and must contain the following information: 451 452 * The Issues must be listed in descending order of severity, as 453 determined by the Participant in accordance with the Judging 454 Criteria. 455 456 * Each Issue listed in the Summary must be identified by ID 457 number of the Issue. The ID number is the identifying number 458 created for each Issue as listed on the `Native Client Issue 459 Tracker <http://code.google.com/p/nativeclient/issues/list>`_. 460 461 * A description of the effect of each Exploit. 462 463 * The platform requirements of each Exploit. 464 465 * The version number(s) of Native Client software affected by 466 each Exploit (which must be the version number of the Native 467 Client software current at the time the Issue was submitted to 468 the `Native Client Issue Tracker 469 <http://code.google.com/p/nativeclient/issues/list>`_). 470 471 * Any other details about the Exploit and the submission that 472 are relevant to the judging criteria, such as, for example, 473 the approach used in finding the exploits, innovative or 474 scalable techniques used to discover exploits, or 475 architectural analysis. 476 477 * The team name or user name of the Participant. Google may, in 478 its sole discretion, eliminate or disqualify any Summary that 479 lists user names or team names that are not identical to the 480 user name or team name of the Participant listed on the 481 Contest entry form. 482 483 #. Each Summary must be a maximum of 8 pages long, in PDF format 484 viewable with Adobe Reader version 9. The Summary must be 485 formatted for 8.5 inches x11 inches or A4 paper, with a minimum 486 font size of 10 pt. Any submission that does not meet these 487 formatting criteria may be disqualified at the sole discretion 488 of Google. 489 490 #. All Issues listed in the Summary will be verified by Google 491 before submission of the Summary to the Judges after the Contest 492 Closing Date. Participants may submit or resubmit their Summary 493 at any time during the duration of the Contest, however, the 494 Judges will consider only the last Summary from each Participant 495 prior to the Contest Closing Date and ignore all other Summaries 496 previously submitted by the Participant. 497 498#. Judging 499 500 1. After the Contest End Date and on or about May 15th, 2009, all 501 submitted Summaries will be judged by one of at least three 502 panels with a minimum of three experts in the field of online 503 security ("Judges") on each panel. Judges will evaluate each 504 Summary in accordance with the Judging Criteria described 505 below. Each panel will evaluate a number of the submitted 506 Summaries using the Judging Criteria described below and will 507 select the highest ranking Summaries to move to the next level 508 of judging. During the first round of judging, each panel will 509 select no more than ten Summaries to move forward to the second 510 round of judging unless there is a tie between or among any 511 Participants. During the second round of judging, those 512 Summaries selected during the first round of judging will then 513 be evaluated by all Judges using the below Judging Criteria and 514 the top five Summaries will be selected as potential 515 winners. All decisions of the Judges are final and binding. 516 517 #. Judging Criteria. The Judges will consider each Summary under 518 following judging criteria ("Judging Criteria"): 519 520 (a) Quality of Exploit. Quality will be decided by the Judges in 521 their sole discretion and will be based on (in order of 522 importance to the Judges) Severity, Scope, Reliability and 523 Style. 524 525 (i) Severity: the more disruptive the effects of the 526 Exploit, the higher its quality. Here is a 527 non-exhaustive ranking of the most common Exploits 528 starting from 'minor' to 'severe': 529 530 * Browser crash; 531 532 * Denial of service or machine crash; 533 534 * Compromise of the Outer Sandbox; 535 536 * Information leak (such as of a cookie or password); 537 538 * Compromise of both the Inner and Outer Sandbox; and/or 539 540 * Prohibited side effect (such as reading or writing 541 files to the client machine), escalation of privilege 542 (such as executing other programs outside of Native 543 Client). 544 545 Any Exploit that does not address the above elements 546 will be evaluated on a case-by-case basis and the 547 severity of such Exploits will be determined solely at 548 the Judge’s discretion. 549 550 (#) Scope: the more computers that an Exploit would 551 potentially affect, the bigger its scope and therefore 552 higher the quality of the Exploit. Consider the 553 following: 554 555 * Exploits that affect all platforms supported by Native 556 Client (where platform is defined as a browser, 557 operating system and hardware combination) have higher 558 quality than an Exploit specific to a particular 559 platform. 560 561 * Exploits that require non-current or beta versions 562 (historic or future) of hardware or software are lower 563 quality. 564 565 * Exploits that rely on concurrent usage of other 566 installed software or web content must make a 567 compelling case about the likelihood of the 568 prerequisite software or content being present, or 569 they will be considered of lower quality. 570 571 (#) Reliability: The more frequent or probable the 572 occurrence identified by the Exploit, the more 573 "reliable" it may be. Consider the following: 574 575 * Exploits that require uncommon software to be 576 installed on the machine in order to function will be 577 deemed to have lower quality. 578 579 * Entries that include Exploits that cannot be 580 reproduced 100% of the time, but which can be 581 reproduced a significant percentage of the time, will 582 be deemed to have a lower quality to account for a 583 lowered probability that the attack will succeed. 584 585 (#) Style: Submissions that demonstrate exceptional style 586 will receive a higher ranking. Factors that contribute 587 to style include: 588 589 * Ingenuity in mechanism used to bypass security; 590 591 * Uniqueness of the Exploit; 592 593 * Ingenuity in methods used to discover vulnerabilities; 594 and/or Minimal size of Exploit to achieve the effect. 595 596 (#) the Quantity of Exploits: Participants that submit more 597 Exploits in their Summary (but no more than 10) may receive 598 a higher ranking, weighted by quality. However, it is still 599 possible that a Participant who submits one Exploit could 600 still outweigh a Participant that submits several Exploits. 601 602 Considering each of the factors described above, the Judges will 603 give each Summary a "Score" from 1-10 that represents the Judges 604 evaluation of the Summary. This "score" will determine which 605 participants move from the first round of judging to the second 606 round of judging, and which participants will be selected as a 607 winner. 608 609 #. Winner Selection 610 611 Judges will review the Summaries as discussed in the "Judging" 612 section, above. The Summaries with the five (5) highest scores 613 will be selected as potentially winning Participants. In the 614 event of a tie ranking for two or more Summaries, the 615 Participant whose Summary had the highest ranking for "Severity" 616 will receive the higher prize. In the event of a second tie, the 617 Participant whose Summary had the highest ranking for "Scope" 618 will receive the higher prize. Odds of winning depend on the 619 number of eligible entries received and the skill of the 620 Participants. 621 622 The Judges are under no obligation to provide feedback on their 623 decisions or on their judgment on specific Exploits they 624 consider. 625 626 #. Team Winners 627 628 A special note about the prize distribution process for 629 Participants who are entering as part of a team: 630 631 A single member of each team shall be designated to receive the 632 prize, if any, awarded to such team at the initial registration 633 of the team, and Google shall have no responsibility for 634 distribution of the prize among the team members. 635 636 Each individual that enters as part of a team, understands and 637 agrees that if his/her team is selected to receive a prize, the 638 team is responsible for ensuring the funds are appropriately 639 distributed to each member of the team. In addition, once a team 640 has registered, the team may not add, remove, or substitute any 641 members or otherwise change the composition of the team for the 642 duration of the Contest. If any member of a team does not comply 643 with these Terms, is ineligible or is disqualified, the team as 644 a whole may be disqualified in Google’s sole discretion. 645 646#. Prizes 647 648 1. Information Required for Eligibility 649 650 (a) On or about May 15th 2009 and upon selection of potential 651 winners, Google will contact all winning Participants using 652 the email addresses submitted at registration. In order to 653 win the Contest and receive prizes, Participants, including 654 each individual on a team, must provide additional 655 information including: 656 657 * first and last name; 658 659 * address; 660 661 * phone number; and 662 663 * all other necessary information required by the US tax and 664 legal authorities and /or the authorities of the countries 665 they reside in. 666 667 (#) All Participants will need to verify their identity with 668 Google, before receiving their prize; however, Participants 669 may provide an alias for use in any public documentation and 670 marketing material issued publicly by Google, subject to 671 limitations of the law and as required by law 672 enforcement. Please be aware that in some jurisdictions, a 673 list of winners must be made available and your name, and 674 not the alias, will be provided on that list. If a 675 Participant, or in the case of a team, any individual member 676 of the team, refuses or fails to provide the necessary 677 information to Google within 14 days of the Contest 678 administrators' request for the required information, then 679 Google may, in its sole discretion, disqualify the 680 Participant's entry and select as an alternative potential 681 winner the Participant with the next highest overall 682 ranking. Google will not be held responsible for any failure 683 of potential winners to receive notification that they are 684 potential winners. Except where prohibited by law, each 685 potential winner may be required to sign and return a 686 Declaration of Eligibility, Liability & Publicity Release 687 and Release of Rights and provide any additional information 688 that may be required by Google. If required, potential 689 winners must return all such required documents within 14 690 calendar days following attempted notification or such 691 potential winner will be deemed to have forfeited the prize 692 and Google will select the Participant with the next highest 693 overall ranking as the potential winner. 694 695 (#) Prizes will be awarded within 6 months after the Contest End Date. 696 697 (#) If fewer than 5 Participants or teams are found eligible, 698 fewer than 5 winners will be selected. 699 700 (#) Prizes are not transferable or substitutable, except by 701 Google in its sole discretion in the event a prize becomes 702 unavailable for any reason. In such an instance, Google will 703 award a prize of equal or greater value. 704 705 (#) LIMIT: Only one prize per Participant. 706 707 #. Prize Amounts and Announcement 708 709 Provided that the Participant has complied with these Terms, 710 eligible Participants that are ranked in the top 5 positions of 711 the competition by Judges will receive the following awards in 712 U.S. Dollars based on their rank: 1st prize: $8,192.00, 2nd 713 prize: $4,096.00, 3rd prize: $2,048.00, 4th prize: $1,024.00, 714 5th prize: $1,024.00. Winning Entries will be announced on or 715 about December 7th. 716 717 #. Distribution of a Prize 718 719 Google is not responsible for any division or distribution of 720 the prizes among or between team members. Distribution or 721 division of the prize among individual team members is the sole 722 responsibility of the participating team. Google will award the 723 prize only to the one (1) member of the team, who was identified 724 by the Participant to receive the prize as part of the 725 registration process. Google will attempt to reach only the 726 designated recipient for purposes of distribution of the prize. 727 728 Prizes are awarded without warranty of any kind from Google, 729 express or implied, without limitation, except where this would 730 be contrary to federal, state, provincial, or local laws or 731 regulations. All federal, state, provincial and local laws and 732 regulations apply. 733 734 #. Taxes 735 736 Payments to potential prize winners are subject to the express 737 requirement that they submit to Google all documentation 738 requested by Google to permit it to comply with all applicable 739 US, state, local and foreign (including provincial) tax 740 reporting and withholding requirements. All prizes will be net 741 of any taxes Google is required by law to withhold. All taxes 742 imposed on the prize are the sole responsibility of the prize 743 recipient. 744 745 In order to receive a prize, potential prize recipients must 746 submit the tax documentation requested by Google or otherwise 747 required by applicable law, to Google or the relevant tax 748 authority, all as determined by applicable law, including, where 749 relevant, the law of the potential prize recipient's country of 750 residence. The potential prize recipient is responsible for 751 ensuring that (s)he complies with all the applicable tax laws 752 and filing requirements. If a potential prize recipient fails to 753 provide such documentation or comply with such laws, the prize 754 may be forfeited and Google may, in its sole discretion, select 755 an alternative potential prize recipient. 756 757#. General Conditions 758 759 1. Right to Disqualify. A Participant may be prohibited from 760 participating in or be disqualified from this Contest if, in 761 Google's sole discretion, it reasonably believes that the 762 Participant or any member of a Participant team has attempted to 763 undermine the legitimate operation of the Contest by cheating, 764 deception, or other unfair playing practices or annoys, abuses, 765 threatens or harasses any other Participants, Google, or the 766 Judges. Google further reserves the right to disqualify any 767 Issue that it believes in its sole and unfettered discretion 768 infringes upon or violates the rights of any third party, 769 otherwise does not comply with these Terms, or violates U.S. or 770 applicable local law in Participant's country of residence. 771 772 Google further reserves the right to disqualify any Participant 773 who tampers with the submission process or any other part of the 774 Contest. Any attempt by a Participant to deliberately damage any 775 web site or undermine the legitimate operation of the Contest is 776 a violation of criminal and civil laws and should such an 777 attempt be made, Google reserves the right to seek damages from 778 any such Participant to the fullest extent of the applicable 779 law. 780 781 #. Internet Disclaimer. Google is not responsible for any 782 malfunction of the entire Contest, the web site displaying the 783 Contest terms and entry information, or any late, lost, damaged, 784 misdirected, incomplete, illegible, undeliverable, or destroyed 785 Exploits, Issues or Summaries due to system errors, failed, 786 incomplete or garbled computer or other telecommunication 787 transmission malfunctions, hardware or software failures of any 788 kind, lost or unavailable network connections, typographical or 789 system/human errors and failures, technical malfunction(s) of 790 any telephone network or lines, cable connections, satellite 791 transmissions, servers or providers, or computer equipment, 792 traffic congestion on the Internet or at the web site displaying 793 the Contest or any combination thereof, including other 794 telecommunication, cable, digital or satellite malfunctions 795 which may limit an entrant’s ability to participate. Google is 796 not responsible for availability of the `Native Client Issue 797 Tracker <http://code.google.com/p/nativeclient/issues/list>`_ 798 from your preferred point of Internet access. In the event of a 799 technical disruption, Google may, in its sole discretion, extend 800 the Contest End Date for a reasonable period. Google will 801 attempt to notify Participants of any such extension by email at 802 the email address in the registration information, but shall 803 have no liability for any failure of such notification. 804 805 #. Exploits Independently Discovered by Google. You acknowledge and 806 understand that Google may discover Exploits independently that 807 may be similar to or identical to your Issues in terms of 808 function, vulnerability, or in other respects. You agree that 809 you will not be entitled to any rights in, or compensation in 810 connection with, any such similar or identical applications 811 and/or ideas. You acknowledge that you have submitted your entry 812 voluntarily and not in confidence or in trust. 813 814 #. No Contract for Employment. You acknowledge that no 815 confidential, fiduciary, agency or other relationship or 816 implied-in-fact contract now exists between you and Google and 817 that no such relationship is established by your submission of 818 an entry to Google in this Contest. Under no circumstances shall 819 the submission of an entry in the Contest, the awarding of a 820 prize, or anything in these Terms be construed as an offer or 821 contract of employment with Google. 822 823 #. Intellectual Property Rights and License. Participants warrant 824 that their Exploit and Summary are their own original work and, 825 as such, they are the sole and exclusive owner and rights holder 826 of the submitted Exploit and Summary and that they have the 827 right to submit the Exploit and Summary in the Contest and grant 828 all required licenses. Each Participant agrees not to submit any 829 Exploit and Summary that (a) infringes any third party 830 proprietary rights, intellectual property rights, industrial 831 property rights, personal or moral rights or any other rights, 832 including without limitation, copyright, trademark, patent, 833 trade secret, privacy, publicity or confidentiality obligations; 834 or (b) otherwise violates the applicable state, federal, 835 provincial or local law. 836 837 As between Google and the Participant, the Participant retains 838 ownership of all intellectual and industrial property rights in 839 and to the Issues and Summary that Participant created. As a 840 condition of entry, Participant grants Google a perpetual, 841 irrevocable, worldwide, royalty-free, and non-exclusive license 842 to use, reproduce, publicly perform, publicly display, 843 distribute, sublicense and create a derivative work from, any 844 Issue or Summary that Participant submits to this Contest for 845 the purposes of allowing Google to test, evaluate and fix or 846 remedy the Issue and Summary for purposes of the Contest and 847 modifying or improving the Native Client software or any other 848 current or future Google product or service. 849 850 Participant also grants Google the right to reproduce and 851 distribute the Issue and the Summary. In addition, Participant 852 specifically agrees that Google shall have the right to use, 853 reproduce, publicly perform, and publicly display the Issue and 854 Summary in connection with the advertising and promotion of the 855 Native Client software or any other current or future Google 856 product or service via communication to the public or other 857 groups, including, but not limited to, the right to make 858 screenshots, animations and video clips available for 859 promotional purposes. 860 861 #. Privacy. Participants agree that personal data provided to 862 Google during the Contest, including name, mailing address, 863 phone number, and email address may be processed, stored, and 864 otherwise used for the purposes and within the context of the 865 Contest. This data will be maintained in accordance with the 866 Google Privacy Policy found at 867 http://www.google.com/privacypolicy.html. This data will also be 868 transferred into the United States. By entering, Participants 869 agree to the transmission, processing, and storage of this 870 personal data in the United States. 871 872 Participants also understand this data may be used by Google in 873 order to verify a Participant's identity, postal address and 874 telephone number in the event a Participant qualifies for a 875 prize. Participants have the right to access, review, rectify or 876 cancel any personal data held by Google in connection with the 877 Contest by writing to Google at the address listed below in the 878 section entitled "Winner’s List." 879 880 For residents of the European Union: 881 882 Pursuant to EU law pertaining to data collection and processing, 883 you are informed that: 884 885 * The data controller is Google and the data recipients are 886 Google and its agents; 887 888 * Your data is collected for purposes of administration of the 889 Native Client Security Contest; 890 891 * You have a right of access to and withdrawal of your personal 892 data. You also have a right of opposition to the data 893 collection, under certain circumstances. To exercise such 894 right, You may write to: Native Client Security Contest, 895 Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 896 94043, USA. 897 898 * Your personal data will be transferred to the U.S. 899 900 #. Indemnity. To the maximum extent permitted by law, each 901 Participant indemnifies and agrees to keep indemnified Google 902 and Judges at all times from and against any liability, claims, 903 demands, losses, damages, costs and expenses resulting from any 904 act, default or omission of the Participant and/or a breach of 905 any warranty set forth herein. To the maximum extent permitted 906 by law, each Participant agrees to defend, indemnify and hold 907 harmless Google, its affiliates and their respective directors, 908 officers, employees and agents from and against any and all 909 claims, actions, suits or proceedings, as well as any and all 910 losses, liabilities, damages, costs and expenses (including 911 reasonable attorneys fees) arising out of or accruing from: 912 913 (a) any material uploaded or otherwise provided by the 914 Participant that infringes any copyright, trademark, trade 915 secret, trade dress, patent or other intellectual property 916 right of any person or defames any person or violates their 917 rights of publicity or privacy, 918 919 (b) any misrepresentation made by the Participant in connection 920 with the Contest; 921 922 (c) any non-compliance by the Participant with these Terms; and 923 924 (d) claims brought by persons or entities other than the parties 925 to these Terms arising from or related to the Participant's 926 involvement with the Contest. 927 928 To the extent permitted by law, Participant agrees to hold 929 Google, its respective directors, officers, employees and 930 assigns harmless for any injury or damage caused or claimed to 931 be caused by participation in the Contest and/or use or 932 acceptance of any prize, except to the extent that any death or 933 personal injury is caused by the negligence of Google. 934 935 #. Elimination. Any false information provided within the context 936 of the Contest by any Participant including information 937 concerning identity, mailing address, telephone number, email 938 address, or ownership of right, or non-compliance with these 939 Terms or the like may result in the immediate elimination of the 940 Participant from the Contest. In the event an individual who is 941 a member of a team supplies information that is covered by this 942 section, the entire team shall be disqualified. 943 944 #. Right to Cancel. If for any reason the Contest is not capable of 945 running as planned, including infection by computer virus, bugs, 946 tampering, unauthorized intervention, fraud, technical failures, 947 or any other causes which corrupt or affect the administration, 948 security, fairness, integrity, or proper conduct of the Contest, 949 Google reserves the right at its sole discretion to cancel, 950 terminate, modify or suspend the Contest. 951 952 #. Forum and Recourse to Judicial Procedures. These Terms shall be 953 governed by, subject to, and construed in accordance with the 954 laws of the State of California, United States of America, 955 excluding all conflict of law rules. If any provision(s) of 956 these Terms are held to be invalid or unenforceable, all 957 remaining provisions hereof will remain in full force and 958 effect. To the extent permitted by law, the rights to litigate, 959 seek injunctive relief or make any other recourse to judicial or 960 any other procedure in case of disputes or claims resulting from 961 or in connection with this Contest are hereby excluded, and all 962 Participants expressly waive any and all such rights. 963 964 #. Arbitration. By entering the Contest, you agree that exclusive 965 jurisdiction for any dispute, claim, or demand related in any 966 way to the Contest will be decided by binding arbitration. All 967 disputes between you and Google, of whatsoever kind or nature 968 arising out of these Terms, shall be submitted to Judicial 969 Arbitration and Mediation Services, Inc. ("JAMS") for binding 970 arbitration under its rules then in effect in the San Jose, 971 California, USA area, before one arbitrator to be mutually 972 agreed upon by both parties. The parties agree to share equally 973 in the arbitration costs incurred. 974 975 #. Winner List 976 977 You may request a list of winners after December 7th, 2009 by 978 writing to: 979 980 | Native Client Security Contest 981 | Google Inc. 982 | 1600 Amphitheater Parkway 983 | Mountain View, CA 94043 984 | USA 985 986 (Residents of Vermont need not supply postage). 987