search

Code4rena Terms of Service

Effective Date: January 7, 2025

hashtag
1. What is this?

These Terms of Service (these “Terms”) are a binding agreement between ZC Security Holdings, LLC, dba Code4rena, a Delaware Limited Liability Company (“C4”, “we”, “us”, or “our”), and the individual, group, or entity that creates an Account or otherwise accesses or uses the Services (“you”).

By selecting “I agree,” creating an Account, or accessing or using the Services, you: (a) accept these Terms; (b) acknowledge the Privacy Policy; and (c) agree that the Program Rules (defined below) and, where applicable, the Private Audit Terms (defined below) are incorporated herein by reference.

If you accept these Terms on behalf of an entity, you represent and warrant that you have authority to bind that entity and that “you” refers to such entity. You consent to receive notices and records electronically.

hashtag
2. Incorporated Documents; Program Rules; Private Audit Terms

The following documents are incorporated into and made part of these Terms (collectively, the “Program Rules”): Code of Conductarrow-up-right, each as updated from time to time in accordance with this Agreement.

If you participate in any private, closed, or invite‑only audit (each, a “Private Audit”), you must accept any terms we set forth specific to each audit (“Private Audit Terms”).

hashtag
3. Definitions

"Account” means the user account you create to access the Services.

“Audit” means a public security review event coordinated through the Services, governed by the Program Rules.

“Private Audit” means a security review coordinated through the Services with restricted access governed by the Private Audit Terms.

“Sponsor” means the person or entity whose code or system is the subject of an Audit or Private Audit.

“Warden” means a participant who submits findings or related materials in an Audit or Private Audit.

“Judge” means an individual appointed by C4 to evaluate Submissions and allocate Awards pursuant to the judging criteria in relevant Program Materials.

“Scout” means an individual who performs community functions designated by C4.

“Submission” means any report, finding, reproduction steps, proof‑of‑concept, analysis, code snippet, diagram, or other material submitted through the Services.

“Background IP” means your pre‑existing ideas, know‑how, methods, workflows, tools, templates, and materials, whether or not included in a Submission.

“Award” means any compensation, bounty, prize, token allocation, or other consideration provided in connection with an Audit or Private Audit. Award criteria will be provided on a per contest basis and determined in C4 sole discretion .

“Tokens” means blockchain‑based digital assets.

“Program Materials” means per‑audit documentation (including READMEs, out‑of‑scope lists, and timelines), judging criteria, award criteria, and other documents published by C4 or a Sponsor. In the event of a conflict between materials Program Materials published by C4 and those published by a Sponsor, Program Materials published by C4 shall govern.

“Prohibited Person” means any person or entity subject to sanctions or trade restrictions under applicable laws or located in an embargoed jurisdiction.

“Unauthorized Methods” has the meaning set out in Section 8.

“Safe Harbor Scope” means the permitted testing boundaries and conditions for an Audit or Private Audit, as defined in the applicable Program Materials.

“Services” means the Code4rena platform, websites, applications, and related services we provide.

“Work Product” means any reports, summaries, write-ups, findings, narratives, analyses, and other materials created by or on behalf of C4 (including by wardens, judges, scouts, or other contributors engaged through C4) in connection with the Services, which may incorporate or be based on Submissions and other inputs. Work Product does not include Sponsor IP, your Background IP, or C4 IP that exists independently of a particular Audit or Private Audit.

hashtag
4. Interpretation; Order of Precedence

a) Confidentiality. If there is any inconsistency about confidentiality, these Terms will control.

b) Everything else. For all other inconsistencies, the documents that make up this agreement apply in the following order. The earlier item in the list governs over any later item on the same point:

  1. These Terms

  2. Program Rules (Code of Conduct)

  3. Program Materials for the relevant Audit or Private Audit

  4. FAQs and other announcements published on the Services

hashtag
5. Eligibility; Account Security; Compliance; Multiple Accounts

a) General. You may use the Services only if you are not a Prohibited Person and are not barred from using the Services under applicable law.

b) Age and Minors.

(i) If you are 18 or older (or the age of majority where you reside), you represent and warrant that you have the legal capacity to enter into these Terms.

(ii) If you are under the age of majority but at least 13 years old (a “Minor”), you may use the Services and participate in Audits and Private Audits only if your parent or legal guardian (A) has reviewed and accepted these Terms on your behalf, (B) agrees to be responsible for your use of the Services, and (C) is the contracting party for purposes of any Awards and related tax/KYC obligations.

(iii) C4 does not knowingly permit children under 13 to create Accounts or use the Services. If you are under 13, you may not use the Services. If we learn that a child under 13 has created an Account, we may delete the Account and associated data subject to applicable law. No awards will be made to persons under 13.

c) Sanctions / Compliance. You represent and warrant that neither you nor, where you are a Minor, your parent or legal guardian, is a Prohibited Person and that you (and, where applicable, your parent or legal guardian) will comply with applicable sanctions, export, anti-corruption, and anti-money-laundering laws.

d) KYC / Tax. We may require identity verification, KYB/KYC, and tax information (for example, IRS Forms W-8/W-9) from you or, where you are a Minor, from your parent or legal guardian before permitting participation or payment of any Award.

e) Account Security. You are responsible for maintaining the confidentiality of your Account credentials and for all activities under your Account. Where you are a Minor, your parent or legal guardian is responsible for supervising your use of the Services and ensuring compliance with these Terms.

f) You will only register and maintain one account. The creation or use of multiple accounts by the same user is prohibited and subject to termination and forfeiture of any Awards.

g) You will ensure that you will treat data accessed and received with reasonable safeguards designed to protect private and confidential information, and that you will promptly inform C4 of any breaches of their administrative, technical or operational security. You shall be liable for disclosure of Confidential Information resulting from a breach of your administrative, technical or operational security.

hashtag
6. Services; Roles; Access; Suspension

We operate the Services, schedule Audits and Private Audits, coordinate judging and Awards, and publish reports. We may modify or discontinue features, or suspend or terminate your access for actual or suspected violation of these Terms or the Program Rules, risk to the Services or users, or legal compliance reasons. Participation does not create employment, agency, joint venture, or partnership.

hashtag
7. Conduct; Acceptable Use; Unauthorized Methods

You must comply with the Code of Conduct and the Program Rules. Without limiting the foregoing, you will not: (a) test outside the Safe Harbor Scope; (b) harm production systems or third‑party users; (c) access data beyond minimal proof of concept; (d) violate law or third‑party rights; (e) attempt to circumvent rate limits or access controls; (f) engage in collusion, doxxing, harassment, or similar misconduct; (g) create multiple accounts.

“Unauthorized Methods” include, without limitation: mainnet exploitation; attacks causing denial of service; spam; social engineering of non‑consenting parties; exfiltration of personal data; and privacy‑impacting tests without explicit written scope. Team participation is permitted if all contributors are registered and bound by these Terms; subcontracting to unbound parties is prohibited.

hashtag
8. Intellectual Property; Licensing; Feedback

(a) Ownership of Submissions and Background IP. As between you and C4, you retain all right, title, and interest in and to your Submissions and your Background IP.

(b) License to C4. You grant C4 a perpetual, worldwide, non-exclusive, royalty-free, transferable, sublicensable license to host, reproduce, display, distribute, adapt, and create derivative works from your Submissions to: (i) operate and provide the Services; (ii) conduct Audits and Private Audits; (iii) produce, use, and publish Work Product; and (iv) market the Services and community.

(c) License to Sponsors. For each Audit or Private Audit you join, you grant the applicable Sponsor a perpetual, worldwide, non-exclusive, royalty-free license to use your Submissions internally to evaluate, triage, and remediate issues and to include limited excerpts in their internal documentation. This license does not include any right to commercialize your general methodologies or Background IP, or to use your Submissions to train or improve machine-learning or similar models, unless agreed in a separate written instrument.

(d) Work Product and C4 IP. C4 may combine, edit, and incorporate Submissions into Work Product. As between you and C4, C4 owns all right, title, and interest in and to the Work Product and C4 IP, subject to your continued ownership of your Submissions and Background IP and the licenses you grant in this Section.

(e) C4 Content and Limited License to You. The Services, C4 IP, Work Product, audit reports, leaderboards, documentation, site text, designs, compilations, selection and arrangement of Submissions, and all other content C4 makes available (together, “C4 Content”) are owned by C4 or its licensors. Subject to these Terms, C4 grants you a limited, revocable, non-exclusive, non-transferable, non-sublicensable license to access and use C4 Content solely for your own personal or internal business purposes in connection with participating in Audits and Private Audits or evaluating the Services.

(f) Reservation of Rights. Except for the licenses expressly granted in this Section, no rights are granted to you in or to the Services, C4 Content, any Submissions, or C4 IP, whether by implication, estoppel, or otherwise. C4 and its licensors reserve all rights not expressly granted.

(g) No Scraping or Bulk Access. You may not, and may not permit any third party, bot, or agent, to, access, search, scrape, crawl, or index the Services or any C4 Content by automated means (including bots, AI agents, or similar tools), or copy, harvest, or bulk-download C4 Content, except as expressly permitted in a separate written agreement with C4 or via public APIs that C4 designates for that purpose.

(h) No AI or Machine-Learning Training. Except as expressly authorized in a separate written agreement with C4 (or via C4 affiliate entities), you may not, and may not permit any third party to: (i) use the Services, any C4 Content, or any Submissions to train, fine-tune, evaluate, or otherwise improve any machine-learning, large-language, foundation, or similar artificial-intelligence model; (ii) create embeddings, feature vectors, or other derived datasets from the Services, any C4 Content, or any Submissions for use with such models; or (iii) use any automated means to collect or analyze the Services, C4 Content, or Submissions for text-and-data-mining purposes related to model training or evaluation.

(i) Aggregated / De-identified Use by C4. C4 may use Work Product, Submissions, and data derived from the provision and use of the Services in aggregated or de-identified form to operate, maintain, and improve the Services and related contests, to develop analytics and machine-learning or artificial-intelligence models, and to publish industry research and benchmarking, provided that such use does not identify you by name without your consent, except where you have already publicly associated yourself with the relevant Audit or Private Audit.

(j) Code Snippets. You grant a non-exclusive copyright license to any code snippets included in your Submissions that are strictly necessary to demonstrate or reproduce a finding.

(k) Moral Rights. To the extent permitted by law, you waive moral rights in your Submissions against C4 and Sponsors to enable the licenses and uses described in this Section.

(l) Attribution. C4 may attribute Submissions and Work Product to your platform handle (and, where you have chosen to use it, your name) unless you opt out where permitted by the Program Rules.

(m) Feedback. If you provide ideas, suggestions, or other feedback, you grant C4 a perpetual, worldwide, irrevocable, royalty-free license to use such feedback for any purpose without attribution or compensation.

(n) Enforcement. Any access or use of the Services, C4 Content, or Submissions in violation of the restrictions in this Section 8 is unauthorized, automatically terminates the license granted to you under this Section, and may subject you to civil and/or criminal liability under applicable law.

hashtag
9. Safe Harbor (Authorization to Test)

Authorization. Within the Safe Harbor Scope defined in the applicable Program Materials your testing is authorized by the relevant Sponsor.

Conditions. You will not target production users, exfiltrate personal data, or disrupt availability. You will cease testing upon request. You will promptly report vulnerabilities through the Services.

Third‑Party Inquiries. If a third party contacts you regarding your audit activity, notify C4 and we will confirm your authorization to that party to the extent appropriate.

Out‑of‑Scope. Activity outside the Safe Harbor Scope is not authorized and may result in disqualification, suspension, referral to applicable authorities, and other remedies.

hashtag
10. Confidentiality; Prohibition on Public Disclosure before Publication

  1. Public Audits. Submissions and Program Materials may be published consistent with the Program Rules.

  2. Private Audits. Information designated confidential is governed by these Terms as well as any applicable documents you may be required to sign. Exceptions include information already public without breach, independently developed without use of confidential information, or rightfully received from a third party without confidentiality obligations.

  3. Public Disclosure Before Publication. You must not publicly disclose, publish, or discuss any bugs, vulnerabilities, or related technical details discovered in connection with an Audit or Private Audit (including in Submissions or Work Product) until C4 has published the corresponding audit report or otherwise notified participants that disclosure is permitted. “Publicly disclose” includes, without limitation, posting on social media, blogs, forums, conferences, meetups, code repositories, messaging channels not expressly designated by C4 for that Audit, or sharing with third parties outside your registered team.

A violation of this Section is a material breach of these Terms and may result in immediate disqualification from the applicable Audit, forfeiture of any unpaid Awards related to that Audit, suspension or termination of your Account, and loss of eligibility to participate in future C4 events.

hashtag
11. Awards; Payments; Taxes; Unclaimed Property; Token Risks

  1. Awards. Awards are discretionary and based on the Program Materials A Judge’s determinations are final absent fraud or manifest error.

  2. KYC & Tax. Payment requires timely completion of KYC/KYB and tax forms. We may engage service providers to perform identity and sanctions screening.

  3. Timing and Method. Payments may be in fiat or crypto. Network selection and timing may vary due to network conditions. Unless prohibited by law, you bear network fees and are responsible for accurate payout details.

  4. Deadlines and Unclaimed Property. If you fail to complete required steps within 30 days of notice, we may delay payment. If you do not complete any required KYC/KYB and tax requests within 30 days of the award announcement, you will forfeit your award.

  5. Withholding. We may withhold amounts required by law or by Sponsor instructions that comply with law.

  6. Token Risks. Tokens are volatile and may be subject to technological, regulatory, or market risks. You assume all risks of Token receipt, custody, taxation, and disposition.

hashtag
12. Privacy; Data Protection

The Privacy Policy describes our processing of personal data, including categories of data, purposes, lawful bases, processors, cross‑border transfers, retention, security measures, and user rights. We will not make security representations beyond those in the Privacy Policy.

hashtag
13. Third‑Party Services; Open Source

You may connect third‑party services (e.g., wallets, identity providers, analytics). Those services are governed by their own terms and privacy policies, which we do not control. You are responsible for compliance with open‑source licenses in audited repositories.

hashtag
14. Copyright Policy (DMCA)

If you believe content on the Services infringes your copyright, you may submit a notice pursuant to 17 U.S.C. §512 to C4’s designated agent at: [email protected] Your notice must include the information required by §512(c)(3). We may remove or disable access to allegedly infringing material and terminate repeat infringers in appropriate circumstances.

hashtag
15. Representations and Warranties; Disclaimer

Your Representations. You represent and warrant that: (a) you have all rights necessary to grant the licenses in Section 8; (b) your Submissions do not infringe, misappropriate, or violate any third‑party rights or law; (c) you will comply with these Terms, the Program Rules, and applicable law; and (d) you are not a Prohibited Person.

Service Disclaimer. THE SERVICES, AUDITS, PRIVATE AUDITS, REPORTS, AND ALL RELATED MATERIALS ARE PROVIDED “AS IS” AND “AS AVAILABLE.” TO THE MAXIMUM EXTENT PERMITTED BY LAW, C4 DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON‑INFRINGEMENT, AND QUIET ENJOYMENT. AUDITS ARE NOT CERTIFICATIONS OR GUARANTEES OF SECURITY.

hashtag
16. Indemnification

By You. You will indemnify, defend, and hold harmless C4, its Affiliates, and their respective officers, directors, employees, and agents from and against claims, losses, liabilities, damages, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) your Submissions; (b) your out‑of‑scope or unlawful testing; (c) your breach of these Terms or the Program Rules; or (d) your violation of law or third‑party rights.

By Sponsors. Sponsors will indemnify, defend, and hold harmless C4 from and against claims arising from Sponsor materials and the audited codebase.

Mutual. Each party will indemnify the other for breaches of confidentiality obligations under these Terms or an applicable NDA.

hashtag
17. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY IS LIABLE FOR INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR FOR LOST PROFITS, REVENUE, GOODWILL, OR DATA, EVEN IF ADVISED OF THE POSSIBILITY. C4’S TOTAL LIABILITY FOR ALL CLAIMS RELATING TO THE SERVICES WILL NOT EXCEED THE GREATER OF: (i) USD $1,000; OR (ii) THE AMOUNTS PAID BY C4 TO YOU IN THE 12‑MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO LIABILITY. THE FOREGOING LIMITATIONS DO NOT APPLY TO WILLFUL MISCONDUCT, FRAUD, OR BODILY INJURY. SOME JURISDICTIONS DO NOT ALLOW CERTAIN LIMITATIONS, IN WHICH CASE THEY APPLY TO THE MAXIMUM EXTENT PERMITTED.

hashtag
18. Dispute Resolution; Arbitration; Governing Law

  1. Governing Law. These Terms are governed by the laws of the State of New York, excluding its conflict‑of‑laws rules.

  2. Mandatory Arbitration. Any dispute, claim, or controversy arising out of or relating to these Terms or the Services (collectively, “Disputes”) will be resolved by binding arbitration administered by JAMS under its Comprehensive Arbitration Rules and Procedures then in effect (the “Rules”). The seat and venue of arbitration will be New York, New York. The language will be English. One arbitrator will preside.

  3. Delegation. The arbitrator has exclusive authority to resolve any Dispute relating to the interpretation, applicability, enforceability, or formation of this arbitration agreement, including any claim that all or any part of it is void or voidable.

  4. Class and Jury Waiver. You and C4 agree that each may bring claims only in your or its individual capacity, not as a plaintiff or class member in any purported class, collective, consolidated, mass, or representative proceeding. To the extent a Dispute is litigated in court rather than arbitrated, the parties waive any right to a jury trial.

  5. Injunctive Relief; Small Claims. Either party may seek temporary or preliminary injunctive relief in a court of competent jurisdiction to protect its intellectual property or confidential information. Either party may bring an individual action in small claims court.

  6. Confidentiality. The parties will keep the existence of the arbitration, the proceedings, and the award confidential, except as required to enforce or vacate an award or as required by law.

  7. Opt‑Out. You may opt out of this arbitration agreement within 30 days of first accepting these Terms by sending written notice to [email protected]. Your opt‑out will not affect other provisions of these Terms.

hashtag
19. Export; Sanctions; Anti‑Corruption

You will comply with all applicable export control, sanctions, and anti‑corruption laws, including those administered by OFAC, BIS, and other authorities. You represent that neither you nor your beneficial owners, directors, or officers are Prohibited Persons. You will not access or use the Services from, or for the benefit of, any Prohibited Person or embargoed jurisdiction.

hashtag
20. Changes

We may update these Terms and the Program Rules by posting an updated version and effective date on the Services and maintaining a public change log. Material changes require re‑acceptance before you join or continue in Audits or Private Audits occurring after the effective date of such changes.

hashtag
21. Term; Termination; Suspension; Survival

These Terms commence on your acceptance and continue until terminated. You may terminate by closing your Account. We may suspend or terminate for cause, including for violations of these Terms or legal requirements, or upon platform shutdown. Any provisions that by their nature should survive, will survive termination.

hashtag
22. Notices

C4 may provide notices to the email address associated with your Account or through the Services. Legal notices to C4 must be sent to: [email protected]envelope. Notices are deemed given when received (email) or three business days after mailing by certified mail (physical).

hashtag
23. Assignment; Change of Control

You may not assign or transfer these Terms without our prior written consent, and any attempted assignment in violation of the foregoing is void. We may assign these Terms to an Affiliate or in connection with a merger, acquisition, reorganization, or sale of assets. These Terms are binding upon and inure to the benefit of the parties and their permitted successors and assigns.

hashtag
24. Force Majeure

Neither party is liable for delay or failure to perform due to events beyond its reasonable control, including acts of God, labor disputes, zombie attacks, AGI, attacks by space aliens, governmental actions, war, terrorism, civil disturbances, failures of telecommunications or networks, or utility failures, provided that the affected party uses commercially reasonable efforts to resume performance.

hashtag
25. Severability; Waiver; Equitable Relief

If any provision of these Terms is held invalid, illegal, or unenforceable, the remaining provisions will remain in full force and effect, and the invalid provision will be deemed modified to the minimum extent necessary to make it valid and enforceable. No waiver is effective unless in writing and signed by the waiving party. You acknowledge that unauthorized use of the Services or Submissions may cause irreparable harm for which monetary damages are inadequate, and C4 may seek equitable relief without posting a bond.

hashtag
26. Third‑Party Beneficiaries; Entire Agreement

Sponsors are intended third‑party beneficiaries of Section 9 (Safe Harbor) and the Sponsor license in Section 8, solely to that extent. There are no other third‑party beneficiaries. These Terms (including the documents incorporated by reference) constitute the entire agreement between the parties regarding the Services and supersede all prior or contemporaneous understandings on that subject.

PreviousLegalNextPrivacy Policy

Last updated

Was this helpful?