Add a Notification Settings Button to all web notifications behind the web platform...
[chromium-blink-merge.git] / native_client_sdk / doc_generated / community / security-contest / contest-terms.html
blobd3b92bc603bd8be7cffddf9d7e3fb71b190abe45
1 {{+bindTo:partials.standard_nacl_article}}
3 <section id="security-contest-terms-and-conditions">
4 <span id="contest-terms"></span><h1 id="security-contest-terms-and-conditions"><span id="contest-terms"></span>Security Contest Terms and Conditions</h1>
5 <aside class="caution">
6 The Native Client Security Contest has ended&#8212;check out the
7 <a class="reference internal" href="/native-client/community/security-contest/index.html#contest-winners"><em>winning submissions</em></a>. We welcome your
8 continued involvement in the project. You can help by submitting
9 <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">bugs</a> and
10 participating in the <a class="reference external" href="http://groups.google.com/group/native-client-discuss">Native Client discussion group</a>.
11 </aside>
12 <aside class="warning">
13 This has been reformatted from the original, and the enumeration
14 list numbering style differs from the original document.
15 </aside>
16 <p>NO PURCHASE NECESSARY TO ENTER OR WIN. VOID WHERE PROHIBITED. CONTEST
17 IS OPEN TO RESIDENTS OF THE 50 UNITED STATES, THE DISTRICT OF COLUMBIA
18 AND WORLDWIDE, EXCEPT FOR ITALY, BRAZIL, QUEBEC, CUBA, IRAN, SYRIA,
19 NORTH KOREA, SUDAN AND MYANMAR.</p>
20 <p>ENTRY IN THIS CONTEST CONSTITUTES YOUR ACCEPTANCE OF THESE TERMS AND
21 CONDITIONS.</p>
22 <ol class="upperroman">
23 <li><p class="first">Binding Agreement</p>
24 <p>In order to enter the Native Client Security Contest (&#8220;Contest&#8221;),
25 you must agree to these Terms and Conditions (&#8220;Terms&#8221;). Therefore,
26 please read these Terms prior to entry to ensure you understand and
27 agree. You agree that submission of an entry in the Contest
28 constitutes your agreement to these Terms. After reading the Terms
29 and in order to participate, each Participant (as defined below)
30 must complete the registration form, clicking the &#8220;I understand and
31 agree&#8221; box (or the equivalent), on the Contest entry webpage. Once
32 the Participant clicks the &#8220;I understand and agree&#8221; box (or the
33 equivalent), the Terms form a binding legal agreement between each
34 Participant and Google with respect to the Contest.</p>
35 <p>Participants may not submit an Exploit, Issue or Summary to the
36 Contest and are not eligible to receive the prizes described in
37 these Terms unless they agree to these Terms. If a Participant is
38 part of a team, each member of the team must read and agree to
39 these Terms and click on the &#8220;I understand and agree&#8221; box (or the
40 equivalent) described herein. Failure of any member of a team to
41 agree to these Terms and click on the &#8220;I understand and agree&#8221; box
42 (or the equivalent) described herein will disqualify the entire
43 team.</p>
44 <p>By entering, Participant warrants that Participant has not violated
45 any employment agreement or other restriction imposed by his or her
46 employer by participating in this Contest.</p>
47 </li>
48 <li><p class="first">Description</p>
49 <p>The Contest is organized by Google and is designed to motivate the
50 developer community to identify and report security Exploits (as
51 defined below) on Google’s Native Client software and reward those
52 developers who identify one or more security Exploits that are
53 evaluated as a winning exploit by the Judges.</p>
54 <p>Once a Participant has registered for the Contest, the Participant
55 will be asked to identify security Exploits in Google’s Native
56 Client Software and enter those Exploits on Google’s <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client
57 Issue Tracker</a>
58 website using the &#8220;Security Contest Template.&#8221; At this point, the
59 Exploit will become an Issue and will no longer be able to be
60 identified by another Participant. Google will then verify that the
61 Issue is reproducible. If so, that Issue will become a Verified
62 Issue. Finally, the Participant will submit a Summary of up to his
63 or her top ten best Issues that were submitted on the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native
64 Client Issue Tracker</a>. Since it is
65 possible that an Issue may not be verified until after the Contest
66 End Date, if a Participant includes such an Issue in their Summary
67 and such Issue is not ultimately verified, then that Issue will not
68 be considered to be part of the Summary.</p>
69 <p>Prizes will be awarded to those Participants who submit the best
70 Summaries as determined in the sole discretion of the Judges when
71 considering the Judging Criteria described herein.</p>
72 </li>
73 <li><p class="first">Sponsor</p>
74 <p>The Contest is sponsored by Google Inc. (&#8220;Google&#8221; or &#8220;Sponsor&#8221;), a
75 Delaware corporation with its principal place of business at 1600
76 Amphitheater Parkway, Mountain View, CA, 94043, USA.</p>
77 </li>
78 <li><p class="first">Term</p>
79 <p>The Contest begins at 9:00:00 A.M. Pacific Time (PT) Zone in the
80 United States on Februrary 25th, 2009 (&#8220;Contest Start Date&#8221;) and
81 ends at 11:59:59 P.M. PT on May 5th, 2009 (&#8220;Contest End
82 Date&#8221;). Participants must register by May 5th, 2009 at 11:59:59
83 Pacific Time to be eligible to participate. ENTRANTS ARE
84 RESPONSIBLE FOR DETERMINING THE CORRESPONDING TIME ZONE IN THEIR
85 RESPECTIVE JURISDICTIONS.</p>
86 </li>
87 <li><p class="first">Definitions</p>
88 <p>Throughout these Terms, Google will use the following defined terms
89 and words. Please review them carefully to ensure you understand.</p>
90 <ol class="arabic simple">
91 <li>Covert Channel Attack: A &#8220;Covert Channel Attack&#8221; means an
92 attempt to manipulate certain properties of a communications
93 medium in an unexpected, unconventional, or unforeseen way in
94 order to transmit information through the medium without
95 detection by anyone other than the entities operating the covert
96 channel. Exploits that are Covert Channel Attacks are excluded
97 from the Contest.</li>
98 <li>Exploit: An &#8220;Exploit&#8221; means a sequence of steps that require and
99 use Native Client to produce or have the potential to produce
100 behavior prohibited by Native Client&#8217;s security policies and
101 design which can be found at
102 <a class="reference external" href="http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html">http://src.chromium.org/viewvc/native_client/trunk/src/native_client/README.html</a>.
103 Google reserves the right to modify the security policies and
104 design at any time. An example of an Exploit would be producing
105 file system or network access outside of the scope of
106 permissible use via JavaScript in a browser. An Exploit that
107 defeats one but not all Native Client security measures is still
108 considered to produce behavior prohibited by Native Client&#8217;s
109 security policies for the purposes of this Contest and would be
110 entitled to be identified as an Exploit in the Contest.</li>
111 <li>Inner Sandbox: The &#8220;Inner Sandbox&#8221; means the Native Client
112 security system that a) inspects executables before running them
113 to try to detect the potential for an executable to produce
114 prohibited behavior, and b) prevents from running any
115 executables that are detected to have the potential to produce
116 prohibited behavior.</li>
117 <li>Issue: An &#8220;Issue&#8221; means an entry of a single Exploit by a
118 Participant into the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> using a
119 properly filled out Security Contest Template. Once the Exploit
120 has been properly entered it becomes an Issue.</li>
121 <li>Native Client Issue Tracker: The &#8220;Native Client Issue Tracker&#8221;
122 is located at
123 <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">http://code.google.com/p/nativeclient/issues/list</a>. It is a web
124 application that manages and maintains a list of Issues,
125 including Issues that are not eligible for contest entry.</li>
126 <li>Native Client Version Number: The &#8220;Native Client Version Number&#8221;
127 is defined as the number between the platform name (separated by
128 an &#8216;_&#8217;) and the file extension (separated by a &#8216;.&#8217;) in the
129 Native Client download. For example, if the the filename of the
130 download on the Native Client download page is
131 &#8220;nacl_linux_0.1_32_2009_01_16.tgz&#8221; or
132 &#8220;nacl_windows_0.1_32_2009_01_16.zip&#8221;, the Version Number is
133 &#8220;0.1_32_2009_01_16&#8221;.</li>
134 <li>Outer Sandbox: The &#8220;Outer Sandbox&#8221; means the Native Client
135 security system that 1) observes executables while they are
136 running to detect the attempts at prohibited behavior and 2)
137 terminates misbehaving executables if it observes any attempts
138 to produce prohibited behavior.</li>
139 <li>Participant: A &#8220;Participant&#8221; means any individual or team of
140 individuals that has agreed to these Terms, meets the
141 eligibility criteria described below, and is participating in
142 the Contest.</li>
143 <li>Side Channel Attack: A &#8220;Side Channel Attack&#8221; means any attack
144 based on information gained as a side-effect of the
145 implementation of a cryptosystem, rather than brute force or
146 theoretical weaknesses in the algorithms. For example, attacks
147 that use timing information, power consumption variation,
148 electromagnetic leaks or sound to obtain information illicitly
149 are side channel attacks. Exploits that are Side Channel Attacks
150 are excluded from the Contest.</li>
151 <li>Summary: A &#8220;Summary&#8221; means the final electronic document
152 complying with the requirements of Section X that each
153 Participant must submit in order to participate in the
154 Contest. A Summary may contain up to 10 Issues. If Issues do not
155 ultimately become Verified Issues, they will not be considered
156 as part of the Summary and Participant understands and accepts
157 the risk that if the Participant identified an Issue on a
158 Summary that had not yet been verified, that Issue will not be
159 considered as part of the Summary if not subsequently verified.</li>
160 <li>Verified Issue: A &#8220;Verified Issue&#8221; means an Exploit that has
161 been a) submitted to the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> in
162 accordance with these Terms, and b) confirmed by the Native
163 Client team at Google to exhibit the behavior described in the
164 Issue report.</li>
165 </ol>
166 </li>
167 <li><p class="first">Eligibility</p>
168 <p>The Contest is open to Participants who (1) have agreed to these
169 Terms; (2) who are of or above the legal age of majority, at the
170 time of entry, to form valid contracts in their respective country,
171 province or state of legal residence (and at least the age of 20 in
172 Taiwan); (3) are not residents of Italy, Brazil, Quebec, Cuba,
173 Iran, Syria, North Korea, Sudan, or Myanmar; and (4) who have
174 software development experience. Sponsor reserves the right to
175 verify eligibility and to adjudicate on any dispute at any
176 time. The Contest is void in, and not open to residents of, Italy,
177 Brazil, Quebec, Cuba, Iran, Syria, North Korea, Sudan, Myanmar, or
178 to individuals and entities restricted by U.S. export controls and
179 sanctions, and is void in any other nation, state, or province
180 where prohibited or restricted by U.S. or local law.</p>
181 <p>Employees and contractors of Google, affiliates and subsidiaries of
182 Google, the Judges and members of their immediate families (defined
183 as parents, children, siblings and spouse, regardless of where they
184 reside and/or those living in the same household of each) are not
185 eligible to participate in the Contest. Judges may not help any
186 Participant with their submissions and Judges must recuse
187 themselves in cases where they have a conflict of interest that
188 becomes known to the Judge.</p>
189 </li>
190 <li><p class="first">Registration &amp; Entry Process</p>
191 <ol class="arabic">
192 <li><p class="first">All Participants must register at
193 code.google.com/contests/nativeclient-security/ by May 5th, 2009
194 at 11:59:59 Pacific Time. All individuals participating in the
195 Contest (either as an individual Participant or as a member of a
196 team) must provide the following registration information:</p>
197 <ol class="loweralpha simple">
198 <li>Email Address(es) of the Participant. The first member of a
199 team to register must list the email addresses of all
200 members of the Participant team, and all members must
201 ultimately agree to the Terms as described more fully below.</li>
202 <li>Nationality and primary place of residence of the Participant.</li>
203 <li>If the Participant is a team, the email address of the team
204 member who is selected to be the recipient of the prize. The
205 first member of the team to register will designate this
206 information in the initial team registration.</li>
207 <li>Participant name, which is the team name in the case of a
208 team or the user name chosen by an individual in the case of
209 an individual Participant.</li>
210 </ol>
211 <p>Failure to fully, completely and accurately provide this
212 information will disqualify the Entry.</p>
213 </li>
214 <li><p class="first">Any potential prize recipient may be required to show proof of
215 being the authorized account holder for an email address. The
216 &#8220;Authorized Account Holder&#8221; is the natural person assigned to an
217 email address by the relevant provider of email services.</p>
218 </li>
219 <li><p class="first">Participants that are teams must provide the above registration
220 information for every individual who is a member of the
221 team. Every individual who is part of the team must agree to the
222 Terms in order for the team to be eligible to participate by
223 clicking the &#8220;I understand and agree&#8221; box (or the equivalent) on
224 the Contest entry webpage. Members of a team will be able to
225 edit the information relating to the team only until the last
226 member of the team has accepted these Terms by clicking the &#8220;I
227 understand and agree&#8221; box (or the equivalent) on the Contest
228 entry webpage. Issues submitted by members of a team prior to
229 the time that all individual members of the team have clicked
230 the &#8220;I understand and agree&#8221; box (or the equivalent) will not be
231 valid Issue submissions and will not be eligible entries in the
232 Contest. Google will send an email to all members of the team
233 when the final team member has accepted the terms, however
234 Google will have no liability for failure to send such an email
235 or for the failure of any team member to receive the email.</p>
236 </li>
237 <li><p class="first">Issues submitted by Participants who are individuals prior to
238 the time that the individual has clicked the &#8220;I understand and
239 agree&#8221; box (or the equivalent) will not be valid Issue
240 submissions and will not be eligible entries in the
241 Contest. Google will send an email to the individual when the
242 individual has accepted the terms, however Google will have no
243 liability for failure to send such an email or for the failure
244 of any team member to receive the email.</p>
245 </li>
246 <li><p class="first">All entries become the property of Sponsor and will not be
247 acknowledged or returned. Entries are void if they are in whole
248 or part illegible, incomplete, damaged, altered, counterfeit,
249 obtained through fraud, or late.</p>
250 </li>
251 <li><p class="first">LIMIT ONE ENTRY PER PERSON. Individuals may only enter one time,
252 whether as an individual Participant or as a team
253 Participant. Google, in its sole discretion, may disqualify any
254 Participant (including team Participants) that it believes has
255 violated this provision.</p>
256 </li>
257 </ol>
258 </li>
259 <li><p class="first">Submission Process</p>
260 <ol class="arabic simple">
261 <li>Each Participant must submit:<ol class="loweralpha">
262 <li>At least one Issue in the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a> that
263 describes an Exploit and includes the information detailed
264 in the &#8220;Issues&#8221; section below. Any team member can submit an
265 Issue on behalf of the team. All entries will be deemed made
266 by the Authorized Account Holder of the email address
267 submitted at the time of entry.</li>
268 <li>One Summary per Participant that includes the information
269 detailed in the &#8220;Summary&#8221; section below. Participant will be
270 entitled to amend its Summary until the Contest End Date and
271 only the last version will be considered by the Judges.</li>
272 </ol>
273 </li>
274 <li>Each Issue must be written in the English language. Google or
275 the Judges may refuse to review submissions that they deem
276 incomprehensible, include Issues that are not repeatable as
277 determined by Google, or that otherwise do not meet the
278 requirements of these Terms.</li>
279 <li>To enter an Issue in the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a>, each
280 Participant must use the &#8220;Security Contest Template&#8221; and provide
281 completely and accurately all information requested by the
282 template. Any Issues that are not entered with the &#8220;Security
283 Contest Template&#8221; may not be considered by the Judges. Each
284 Issue must contain the items described in the &#8220;Issues&#8221; section
285 of these Terms.</li>
286 </ol>
287 </li>
288 <li><p class="first">Issues</p>
289 <ol class="arabic simple">
290 <li>Minimum requirements for Issues: Participant must identify an
291 Exploit and enter the Exploit into the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue
292 Tracker</a>. Once the
293 Exploit is submitted it becomes an Issue. Each submitted Issue
294 must include (i) the following information and (ii) all
295 additional information requested on the &#8220;Security Contest
296 Template&#8221;:<ol class="loweralpha">
297 <li>The user name (in the case of Individual Participants) or
298 the team name (in the case of team Participants) of the
299 Participant submitting the Issue, which must be identical to
300 the user name or team name submitted during the registration
301 process.</li>
302 <li>A gzipped tar archive (with paths relative to
303 nacl/googleclient/native_client/tests/) that contains any
304 instructions and files necessary to reproduce the Exploit,
305 which must include:<ol class="arabic">
306 <li>A README.txt file that describes:<ul class="small-gap">
307 <li>The version number of current version of Native Client
308 at the time of submission. Issues submitted with a
309 version number listed other than the current version
310 at the time of submission will be invalid;</li>
311 <li>The steps required to reproduce the Exploit;</li>
312 <li>The effect of the Exploit; and</li>
313 <li>Platform requirements for the Exploit, including but
314 not necessarily limited to:</li>
315 <li>browser version;</li>
316 <li>operating system name(s) and version(s); and/or</li>
317 <li>any other platform requirements relevant to the Exploit.</li>
318 </ul>
319 </li>
320 <li>If the Exploit requires a binary executable, both the
321 source code and binary executable must be provided upon
322 creation of the Issue. Any subsequent updates to the
323 source code or binary executable after the creation of
324 the Issue will not be considered for the purposes of
325 this Contest. The binary executable must build cleanly
326 by executing the command &#8220;make&#8221; in the exploit directory
327 (e.g. nacl/googleclient/native_client/tests/exploit1).</li>
328 </ol>
329 </li>
330 </ol>
331 </li>
332 <li>Verified Issues: In order for an Issue to become a Verified
333 Issue, Google will first examine the submitted Issue to
334 determine whether it complies with the following:<ol class="loweralpha">
335 <li>The Exploit must not contain or depend upon access or use of
336 any third party software or code that Google does not have
337 readily available to it or that would require complying with
338 third party license agreement that Google in its sole
339 discretion deems onerous or burdensome.</li>
340 <li>Google must be able to replicate the Exploit in its sole
341 discretion.</li>
342 <li>The Exploit must affect at least one &#8220;opt-&#8221; platform from a
343 standard build of the most recent released version of Native
344 Client as of the time of submission of the Issue for the
345 Exploit.</li>
346 </ol>
347 </li>
348 <li>Timeliness<ol class="loweralpha">
349 <li>If the vulnerability exposed by the submitted Exploit was
350 disclosed in a previously reported Issue (whether or not
351 submitted by a Participant) or in the previously published
352 Native Client release notes, the submission will be invalid
353 for the purposes of this Contest. Two Exploits are
354 considered to expose the same vulnerability if the
355 theoretical patch required to fix one vulnerability also
356 fixes the second vulnerability.</li>
357 <li>Google will update the Native Client source code base at
358 most twice per week. These updates, if they occur, will
359 appear Mondays and Thursdays between 3 p.m. and 8
360 p.m. Pacific Time.</li>
361 <li>Issues will not be valid if they have been entered before
362 the later of (i) the Contest Start Date or (ii) the time at
363 which all members of a team Participant or the individual
364 Participant, as the case may be, have accepted these Terms.</li>
365 </ol>
366 </li>
367 <li>Excluded Exploits. The following types of Exploits are invalid
368 for the purposes of this Contest:<ul class="small-gap">
369 <li>Covert Channel Attacks;</li>
370 <li>Sidechannel Attacks;</li>
371 <li>Exploits requiring a virtualized CPU;</li>
372 <li>Exploits that rely on features, misfeatures or defects of
373 virtual machines (i.e. VMWare, Xen, Parallels etc.);</li>
374 <li>Exploits that require the machine to be previously compromised
375 by malicious software (including but not limited to viruses or
376 malware); and</li>
377 <li>Exploits that rely on hardware failures, other than Exploits
378 which, in Google’s sole judgment, depend on CPU errata but
379 which can be reproduced reliably with a common system
380 configuration and under normal operating conditions, or
381 statistically improbable hardware behaviors. Examples include
382 but are not limited to Exploits that rely on memory errors
383 induced by cosmic radiation, and Exploits that require
384 abnormal heating, cooling or other abnormal physical
385 conditions.</li>
386 </ul>
387 </li>
388 <li>Completeness. Issues submitted that lack any of the above
389 materials or fail to meet any of the above criteria, may not be
390 considered in the judging process at Google&#8217;s sole
391 discretion. Issues that are not included in a Participant
392 Summary (see section below) will not be considered.</li>
393 </ol>
394 </li>
395 <li><p class="first">Summary</p>
396 <ol class="arabic simple">
397 <li>Every Participant must submit a Summary at the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client
398 Issue Tracker</a> complying
399 with the requirements of this section. The Participant must
400 select no more than 10 of the Verified Issues submitted by the
401 Participant for inclusion on the Summary. Each Summary must be
402 in English and must contain the following information:<ul class="small-gap">
403 <li>The Issues must be listed in descending order of severity, as
404 determined by the Participant in accordance with the Judging
405 Criteria.</li>
406 <li>Each Issue listed in the Summary must be identified by ID
407 number of the Issue. The ID number is the identifying number
408 created for each Issue as listed on the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue
409 Tracker</a>.</li>
410 <li>A description of the effect of each Exploit.</li>
411 <li>The platform requirements of each Exploit.</li>
412 <li>The version number(s) of Native Client software affected by
413 each Exploit (which must be the version number of the Native
414 Client software current at the time the Issue was submitted to
415 the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue Tracker</a>).</li>
416 <li>Any other details about the Exploit and the submission that
417 are relevant to the judging criteria, such as, for example,
418 the approach used in finding the exploits, innovative or
419 scalable techniques used to discover exploits, or
420 architectural analysis.</li>
421 <li>The team name or user name of the Participant. Google may, in
422 its sole discretion, eliminate or disqualify any Summary that
423 lists user names or team names that are not identical to the
424 user name or team name of the Participant listed on the
425 Contest entry form.</li>
426 </ul>
427 </li>
428 <li>Each Summary must be a maximum of 8 pages long, in PDF format
429 viewable with Adobe Reader version 9. The Summary must be
430 formatted for 8.5 inches x11 inches or A4 paper, with a minimum
431 font size of 10 pt. Any submission that does not meet these
432 formatting criteria may be disqualified at the sole discretion
433 of Google.</li>
434 <li>All Issues listed in the Summary will be verified by Google
435 before submission of the Summary to the Judges after the Contest
436 Closing Date. Participants may submit or resubmit their Summary
437 at any time during the duration of the Contest, however, the
438 Judges will consider only the last Summary from each Participant
439 prior to the Contest Closing Date and ignore all other Summaries
440 previously submitted by the Participant.</li>
441 </ol>
442 </li>
443 <li><p class="first">Judging</p>
444 <ol class="arabic">
445 <li><p class="first">After the Contest End Date and on or about May 15th, 2009, all
446 submitted Summaries will be judged by one of at least three
447 panels with a minimum of three experts in the field of online
448 security (&#8220;Judges&#8221;) on each panel. Judges will evaluate each
449 Summary in accordance with the Judging Criteria described
450 below. Each panel will evaluate a number of the submitted
451 Summaries using the Judging Criteria described below and will
452 select the highest ranking Summaries to move to the next level
453 of judging. During the first round of judging, each panel will
454 select no more than ten Summaries to move forward to the second
455 round of judging unless there is a tie between or among any
456 Participants. During the second round of judging, those
457 Summaries selected during the first round of judging will then
458 be evaluated by all Judges using the below Judging Criteria and
459 the top five Summaries will be selected as potential
460 winners. All decisions of the Judges are final and binding.</p>
461 </li>
462 <li><p class="first">Judging Criteria. The Judges will consider each Summary under
463 following judging criteria (&#8220;Judging Criteria&#8221;):</p>
464 <ol class="loweralpha">
465 <li><p class="first">Quality of Exploit. Quality will be decided by the Judges in
466 their sole discretion and will be based on (in order of
467 importance to the Judges) Severity, Scope, Reliability and
468 Style.</p>
469 <ol class="lowerroman">
470 <li><p class="first">Severity: the more disruptive the effects of the
471 Exploit, the higher its quality. Here is a
472 non-exhaustive ranking of the most common Exploits
473 starting from &#8216;minor&#8217; to &#8216;severe&#8217;:</p>
474 <ul class="small-gap">
475 <li><p class="first">Browser crash;</p>
476 </li>
477 <li><p class="first">Denial of service or machine crash;</p>
478 </li>
479 <li><p class="first">Compromise of the Outer Sandbox;</p>
480 </li>
481 <li><p class="first">Information leak (such as of a cookie or password);</p>
482 </li>
483 <li><p class="first">Compromise of both the Inner and Outer Sandbox; and/or</p>
484 </li>
485 <li><p class="first">Prohibited side effect (such as reading or writing
486 files to the client machine), escalation of privilege
487 (such as executing other programs outside of Native
488 Client).</p>
489 </li>
490 </ul>
491 <p>Any Exploit that does not address the above elements
492 will be evaluated on a case-by-case basis and the
493 severity of such Exploits will be determined solely at
494 the Judge’s discretion.</p>
495 </li>
496 <li><p class="first">Scope: the more computers that an Exploit would
497 potentially affect, the bigger its scope and therefore
498 higher the quality of the Exploit. Consider the
499 following:</p>
500 <ul class="small-gap">
501 <li><p class="first">Exploits that affect all platforms supported by Native
502 Client (where platform is defined as a browser,
503 operating system and hardware combination) have higher
504 quality than an Exploit specific to a particular
505 platform.</p>
506 </li>
507 <li><p class="first">Exploits that require non-current or beta versions
508 (historic or future) of hardware or software are lower
509 quality.</p>
510 </li>
511 <li><p class="first">Exploits that rely on concurrent usage of other
512 installed software or web content must make a
513 compelling case about the likelihood of the
514 prerequisite software or content being present, or
515 they will be considered of lower quality.</p>
516 </li>
517 </ul>
518 </li>
519 <li><p class="first">Reliability: The more frequent or probable the
520 occurrence identified by the Exploit, the more
521 &#8220;reliable&#8221; it may be. Consider the following:</p>
522 <ul class="small-gap">
523 <li><p class="first">Exploits that require uncommon software to be
524 installed on the machine in order to function will be
525 deemed to have lower quality.</p>
526 </li>
527 <li><p class="first">Entries that include Exploits that cannot be
528 reproduced 100% of the time, but which can be
529 reproduced a significant percentage of the time, will
530 be deemed to have a lower quality to account for a
531 lowered probability that the attack will succeed.</p>
532 </li>
533 </ul>
534 </li>
535 <li><p class="first">Style: Submissions that demonstrate exceptional style
536 will receive a higher ranking. Factors that contribute
537 to style include:</p>
538 <ul class="small-gap">
539 <li><p class="first">Ingenuity in mechanism used to bypass security;</p>
540 </li>
541 <li><p class="first">Uniqueness of the Exploit;</p>
542 </li>
543 <li><p class="first">Ingenuity in methods used to discover vulnerabilities;
544 and/or Minimal size of Exploit to achieve the effect.</p>
545 </li>
546 </ul>
547 </li>
548 </ol>
549 </li>
550 <li><p class="first">the Quantity of Exploits: Participants that submit more
551 Exploits in their Summary (but no more than 10) may receive
552 a higher ranking, weighted by quality. However, it is still
553 possible that a Participant who submits one Exploit could
554 still outweigh a Participant that submits several Exploits.</p>
555 </li>
556 </ol>
557 <p>Considering each of the factors described above, the Judges will
558 give each Summary a &#8220;Score&#8221; from 1-10 that represents the Judges
559 evaluation of the Summary. This &#8220;score&#8221; will determine which
560 participants move from the first round of judging to the second
561 round of judging, and which participants will be selected as a
562 winner.</p>
563 </li>
564 <li><p class="first">Winner Selection</p>
565 <p>Judges will review the Summaries as discussed in the &#8220;Judging&#8221;
566 section, above. The Summaries with the five (5) highest scores
567 will be selected as potentially winning Participants. In the
568 event of a tie ranking for two or more Summaries, the
569 Participant whose Summary had the highest ranking for &#8220;Severity&#8221;
570 will receive the higher prize. In the event of a second tie, the
571 Participant whose Summary had the highest ranking for &#8220;Scope&#8221;
572 will receive the higher prize. Odds of winning depend on the
573 number of eligible entries received and the skill of the
574 Participants.</p>
575 <p>The Judges are under no obligation to provide feedback on their
576 decisions or on their judgment on specific Exploits they
577 consider.</p>
578 </li>
579 <li><p class="first">Team Winners</p>
580 <p>A special note about the prize distribution process for
581 Participants who are entering as part of a team:</p>
582 <p>A single member of each team shall be designated to receive the
583 prize, if any, awarded to such team at the initial registration
584 of the team, and Google shall have no responsibility for
585 distribution of the prize among the team members.</p>
586 <p>Each individual that enters as part of a team, understands and
587 agrees that if his/her team is selected to receive a prize, the
588 team is responsible for ensuring the funds are appropriately
589 distributed to each member of the team. In addition, once a team
590 has registered, the team may not add, remove, or substitute any
591 members or otherwise change the composition of the team for the
592 duration of the Contest. If any member of a team does not comply
593 with these Terms, is ineligible or is disqualified, the team as
594 a whole may be disqualified in Google’s sole discretion.</p>
595 </li>
596 </ol>
597 </li>
598 <li><p class="first">Prizes</p>
599 <ol class="arabic">
600 <li><p class="first">Information Required for Eligibility</p>
601 <ol class="loweralpha simple">
602 <li>On or about May 15th 2009 and upon selection of potential
603 winners, Google will contact all winning Participants using
604 the email addresses submitted at registration. In order to
605 win the Contest and receive prizes, Participants, including
606 each individual on a team, must provide additional
607 information including:<ul class="small-gap">
608 <li>first and last name;</li>
609 <li>address;</li>
610 <li>phone number; and</li>
611 <li>all other necessary information required by the US tax and
612 legal authorities and /or the authorities of the countries
613 they reside in.</li>
614 </ul>
615 </li>
616 <li>All Participants will need to verify their identity with
617 Google, before receiving their prize; however, Participants
618 may provide an alias for use in any public documentation and
619 marketing material issued publicly by Google, subject to
620 limitations of the law and as required by law
621 enforcement. Please be aware that in some jurisdictions, a
622 list of winners must be made available and your name, and
623 not the alias, will be provided on that list. If a
624 Participant, or in the case of a team, any individual member
625 of the team, refuses or fails to provide the necessary
626 information to Google within 14 days of the Contest
627 administrators&#8217; request for the required information, then
628 Google may, in its sole discretion, disqualify the
629 Participant&#8217;s entry and select as an alternative potential
630 winner the Participant with the next highest overall
631 ranking. Google will not be held responsible for any failure
632 of potential winners to receive notification that they are
633 potential winners. Except where prohibited by law, each
634 potential winner may be required to sign and return a
635 Declaration of Eligibility, Liability &amp; Publicity Release
636 and Release of Rights and provide any additional information
637 that may be required by Google. If required, potential
638 winners must return all such required documents within 14
639 calendar days following attempted notification or such
640 potential winner will be deemed to have forfeited the prize
641 and Google will select the Participant with the next highest
642 overall ranking as the potential winner.</li>
643 <li>Prizes will be awarded within 6 months after the Contest End Date.</li>
644 <li>If fewer than 5 Participants or teams are found eligible,
645 fewer than 5 winners will be selected.</li>
646 <li>Prizes are not transferable or substitutable, except by
647 Google in its sole discretion in the event a prize becomes
648 unavailable for any reason. In such an instance, Google will
649 award a prize of equal or greater value.</li>
650 <li>LIMIT: Only one prize per Participant.</li>
651 </ol>
652 </li>
653 <li><p class="first">Prize Amounts and Announcement</p>
654 <p>Provided that the Participant has complied with these Terms,
655 eligible Participants that are ranked in the top 5 positions of
656 the competition by Judges will receive the following awards in
657 U.S. Dollars based on their rank: 1st prize: $8,192.00, 2nd
658 prize: $4,096.00, 3rd prize: $2,048.00, 4th prize: $1,024.00,
659 5th prize: $1,024.00. Winning Entries will be announced on or
660 about December 7th.</p>
661 </li>
662 <li><p class="first">Distribution of a Prize</p>
663 <p>Google is not responsible for any division or distribution of
664 the prizes among or between team members. Distribution or
665 division of the prize among individual team members is the sole
666 responsibility of the participating team. Google will award the
667 prize only to the one (1) member of the team, who was identified
668 by the Participant to receive the prize as part of the
669 registration process. Google will attempt to reach only the
670 designated recipient for purposes of distribution of the prize.</p>
671 <p>Prizes are awarded without warranty of any kind from Google,
672 express or implied, without limitation, except where this would
673 be contrary to federal, state, provincial, or local laws or
674 regulations. All federal, state, provincial and local laws and
675 regulations apply.</p>
676 </li>
677 <li><p class="first">Taxes</p>
678 <p>Payments to potential prize winners are subject to the express
679 requirement that they submit to Google all documentation
680 requested by Google to permit it to comply with all applicable
681 US, state, local and foreign (including provincial) tax
682 reporting and withholding requirements. All prizes will be net
683 of any taxes Google is required by law to withhold. All taxes
684 imposed on the prize are the sole responsibility of the prize
685 recipient.</p>
686 <p>In order to receive a prize, potential prize recipients must
687 submit the tax documentation requested by Google or otherwise
688 required by applicable law, to Google or the relevant tax
689 authority, all as determined by applicable law, including, where
690 relevant, the law of the potential prize recipient&#8217;s country of
691 residence. The potential prize recipient is responsible for
692 ensuring that (s)he complies with all the applicable tax laws
693 and filing requirements. If a potential prize recipient fails to
694 provide such documentation or comply with such laws, the prize
695 may be forfeited and Google may, in its sole discretion, select
696 an alternative potential prize recipient.</p>
697 </li>
698 </ol>
699 </li>
700 <li><p class="first">General Conditions</p>
701 <ol class="arabic">
702 <li><p class="first">Right to Disqualify. A Participant may be prohibited from
703 participating in or be disqualified from this Contest if, in
704 Google&#8217;s sole discretion, it reasonably believes that the
705 Participant or any member of a Participant team has attempted to
706 undermine the legitimate operation of the Contest by cheating,
707 deception, or other unfair playing practices or annoys, abuses,
708 threatens or harasses any other Participants, Google, or the
709 Judges. Google further reserves the right to disqualify any
710 Issue that it believes in its sole and unfettered discretion
711 infringes upon or violates the rights of any third party,
712 otherwise does not comply with these Terms, or violates U.S. or
713 applicable local law in Participant&#8217;s country of residence.</p>
714 <p>Google further reserves the right to disqualify any Participant
715 who tampers with the submission process or any other part of the
716 Contest. Any attempt by a Participant to deliberately damage any
717 website or undermine the legitimate operation of the Contest is
718 a violation of criminal and civil laws and should such an
719 attempt be made, Google reserves the right to seek damages from
720 any such Participant to the fullest extent of the applicable
721 law.</p>
722 </li>
723 <li><p class="first">Internet Disclaimer. Google is not responsible for any
724 malfunction of the entire Contest, the website displaying the
725 Contest terms and entry information, or any late, lost, damaged,
726 misdirected, incomplete, illegible, undeliverable, or destroyed
727 Exploits, Issues or Summaries due to system errors, failed,
728 incomplete or garbled computer or other telecommunication
729 transmission malfunctions, hardware or software failures of any
730 kind, lost or unavailable network connections, typographical or
731 system/human errors and failures, technical malfunction(s) of
732 any telephone network or lines, cable connections, satellite
733 transmissions, servers or providers, or computer equipment,
734 traffic congestion on the Internet or at the website displaying
735 the Contest or any combination thereof, including other
736 telecommunication, cable, digital or satellite malfunctions
737 which may limit an entrant’s ability to participate. Google is
738 not responsible for availability of the <a class="reference external" href="http://code.google.com/p/nativeclient/issues/list">Native Client Issue
739 Tracker</a>
740 from your preferred point of Internet access. In the event of a
741 technical disruption, Google may, in its sole discretion, extend
742 the Contest End Date for a reasonable period. Google will
743 attempt to notify Participants of any such extension by email at
744 the email address in the registration information, but shall
745 have no liability for any failure of such notification.</p>
746 </li>
747 <li><p class="first">Exploits Independently Discovered by Google. You acknowledge and
748 understand that Google may discover Exploits independently that
749 may be similar to or identical to your Issues in terms of
750 function, vulnerability, or in other respects. You agree that
751 you will not be entitled to any rights in, or compensation in
752 connection with, any such similar or identical applications
753 and/or ideas. You acknowledge that you have submitted your entry
754 voluntarily and not in confidence or in trust.</p>
755 </li>
756 <li><p class="first">No Contract for Employment. You acknowledge that no
757 confidential, fiduciary, agency or other relationship or
758 implied-in-fact contract now exists between you and Google and
759 that no such relationship is established by your submission of
760 an entry to Google in this Contest. Under no circumstances shall
761 the submission of an entry in the Contest, the awarding of a
762 prize, or anything in these Terms be construed as an offer or
763 contract of employment with Google.</p>
764 </li>
765 <li><p class="first">Intellectual Property Rights and License. Participants warrant
766 that their Exploit and Summary are their own original work and,
767 as such, they are the sole and exclusive owner and rights holder
768 of the submitted Exploit and Summary and that they have the
769 right to submit the Exploit and Summary in the Contest and grant
770 all required licenses. Each Participant agrees not to submit any
771 Exploit and Summary that (a) infringes any third party
772 proprietary rights, intellectual property rights, industrial
773 property rights, personal or moral rights or any other rights,
774 including without limitation, copyright, trademark, patent,
775 trade secret, privacy, publicity or confidentiality obligations;
776 or (b) otherwise violates the applicable state, federal,
777 provincial or local law.</p>
778 <p>As between Google and the Participant, the Participant retains
779 ownership of all intellectual and industrial property rights in
780 and to the Issues and Summary that Participant created. As a
781 condition of entry, Participant grants Google a perpetual,
782 irrevocable, worldwide, royalty-free, and non-exclusive license
783 to use, reproduce, publicly perform, publicly display,
784 distribute, sublicense and create a derivative work from, any
785 Issue or Summary that Participant submits to this Contest for
786 the purposes of allowing Google to test, evaluate and fix or
787 remedy the Issue and Summary for purposes of the Contest and
788 modifying or improving the Native Client software or any other
789 current or future Google product or service.</p>
790 <p>Participant also grants Google the right to reproduce and
791 distribute the Issue and the Summary. In addition, Participant
792 specifically agrees that Google shall have the right to use,
793 reproduce, publicly perform, and publicly display the Issue and
794 Summary in connection with the advertising and promotion of the
795 Native Client software or any other current or future Google
796 product or service via communication to the public or other
797 groups, including, but not limited to, the right to make
798 screenshots, animations and video clips available for
799 promotional purposes.</p>
800 </li>
801 <li><p class="first">Privacy. Participants agree that personal data provided to
802 Google during the Contest, including name, mailing address,
803 phone number, and email address may be processed, stored, and
804 otherwise used for the purposes and within the context of the
805 Contest. This data will be maintained in accordance with the
806 Google Privacy Policy found at
807 <a class="reference external" href="http://www.google.com/privacypolicy.html">http://www.google.com/privacypolicy.html</a>. This data will also be
808 transferred into the United States. By entering, Participants
809 agree to the transmission, processing, and storage of this
810 personal data in the United States.</p>
811 <p>Participants also understand this data may be used by Google in
812 order to verify a Participant&#8217;s identity, postal address and
813 telephone number in the event a Participant qualifies for a
814 prize. Participants have the right to access, review, rectify or
815 cancel any personal data held by Google in connection with the
816 Contest by writing to Google at the address listed below in the
817 section entitled &#8220;Winner’s List.&#8221;</p>
818 <p>For residents of the European Union:</p>
819 <p>Pursuant to EU law pertaining to data collection and processing,
820 you are informed that:</p>
821 <ul class="small-gap">
822 <li><p class="first">The data controller is Google and the data recipients are
823 Google and its agents;</p>
824 </li>
825 <li><p class="first">Your data is collected for purposes of administration of the
826 Native Client Security Contest;</p>
827 </li>
828 <li><p class="first">You have a right of access to and withdrawal of your personal
829 data. You also have a right of opposition to the data
830 collection, under certain circumstances. To exercise such
831 right, You may write to: Native Client Security Contest,
832 Google Inc., 1600 Amphitheater Parkway, Mountain View, CA
833 94043, USA.</p>
834 </li>
835 <li><p class="first">Your personal data will be transferred to the U.S.</p>
836 </li>
837 </ul>
838 </li>
839 <li><p class="first">Indemnity. To the maximum extent permitted by law, each
840 Participant indemnifies and agrees to keep indemnified Google
841 and Judges at all times from and against any liability, claims,
842 demands, losses, damages, costs and expenses resulting from any
843 act, default or omission of the Participant and/or a breach of
844 any warranty set forth herein. To the maximum extent permitted
845 by law, each Participant agrees to defend, indemnify and hold
846 harmless Google, its affiliates and their respective directors,
847 officers, employees and agents from and against any and all
848 claims, actions, suits or proceedings, as well as any and all
849 losses, liabilities, damages, costs and expenses (including
850 reasonable attorneys fees) arising out of or accruing from:</p>
851 <ol class="loweralpha simple">
852 <li>any material uploaded or otherwise provided by the
853 Participant that infringes any copyright, trademark, trade
854 secret, trade dress, patent or other intellectual property
855 right of any person or defames any person or violates their
856 rights of publicity or privacy,</li>
857 <li>any misrepresentation made by the Participant in connection
858 with the Contest;</li>
859 <li>any non-compliance by the Participant with these Terms; and</li>
860 <li>claims brought by persons or entities other than the parties
861 to these Terms arising from or related to the Participant&#8217;s
862 involvement with the Contest.</li>
863 </ol>
864 <p>To the extent permitted by law, Participant agrees to hold
865 Google, its respective directors, officers, employees and
866 assigns harmless for any injury or damage caused or claimed to
867 be caused by participation in the Contest and/or use or
868 acceptance of any prize, except to the extent that any death or
869 personal injury is caused by the negligence of Google.</p>
870 </li>
871 <li><p class="first">Elimination. Any false information provided within the context
872 of the Contest by any Participant including information
873 concerning identity, mailing address, telephone number, email
874 address, or ownership of right, or non-compliance with these
875 Terms or the like may result in the immediate elimination of the
876 Participant from the Contest. In the event an individual who is
877 a member of a team supplies information that is covered by this
878 section, the entire team shall be disqualified.</p>
879 </li>
880 <li><p class="first">Right to Cancel. If for any reason the Contest is not capable of
881 running as planned, including infection by computer virus, bugs,
882 tampering, unauthorized intervention, fraud, technical failures,
883 or any other causes which corrupt or affect the administration,
884 security, fairness, integrity, or proper conduct of the Contest,
885 Google reserves the right at its sole discretion to cancel,
886 terminate, modify or suspend the Contest.</p>
887 </li>
888 <li><p class="first">Forum and Recourse to Judicial Procedures. These Terms shall be
889 governed by, subject to, and construed in accordance with the
890 laws of the State of California, United States of America,
891 excluding all conflict of law rules. If any provision(s) of
892 these Terms are held to be invalid or unenforceable, all
893 remaining provisions hereof will remain in full force and
894 effect. To the extent permitted by law, the rights to litigate,
895 seek injunctive relief or make any other recourse to judicial or
896 any other procedure in case of disputes or claims resulting from
897 or in connection with this Contest are hereby excluded, and all
898 Participants expressly waive any and all such rights.</p>
899 </li>
900 <li><p class="first">Arbitration. By entering the Contest, you agree that exclusive
901 jurisdiction for any dispute, claim, or demand related in any
902 way to the Contest will be decided by binding arbitration. All
903 disputes between you and Google, of whatsoever kind or nature
904 arising out of these Terms, shall be submitted to Judicial
905 Arbitration and Mediation Services, Inc. (&#8220;JAMS&#8221;) for binding
906 arbitration under its rules then in effect in the San Jose,
907 California, USA area, before one arbitrator to be mutually
908 agreed upon by both parties. The parties agree to share equally
909 in the arbitration costs incurred.</p>
910 </li>
911 <li><p class="first">Winner List</p>
912 <p>You may request a list of winners after December 7th, 2009 by
913 writing to:</p>
914 <div class="line-block">
915 <div class="line">Native Client Security Contest</div>
916 <div class="line">Google Inc.</div>
917 <div class="line">1600 Amphitheater Parkway</div>
918 <div class="line">Mountain View, CA 94043</div>
919 <div class="line">USA</div>
920 </div>
921 <p>(Residents of Vermont need not supply postage).</p>
922 </li>
923 </ol>
924 </li>
925 </ol>
926 </section>
928 {{/partials.standard_nacl_article}}