dYdX Foundation Bug Bounty Program Terms and Conditions

PARTICIPATION IN THE BUG BOUNTY PROGRAM IS SUBJECT TO COMPLIANCE WITH THE TERMS OF USE OF DYDX FOUNDATION.

These Bug Bounty Program Terms and Conditions (these “Bug Bounty Terms”) apply to, and will govern, all vulnerabilities that are discovered by you and reported to dYdX Foundation (“dYdX Foundation” or “Foundation”) in accordance with these Bug Bounty Terms (the “Bug Bounty Program”). In the event of a conflict between these Bug Bounty Terms and the Terms of Use of dYdX Foundation (the “Terms of Use”), or any other previously published dYdX Foundation program, the terms of these Bug Bounty Terms will govern to the extent of such conflict. Please read these Bug Bounty Terms carefully before you participate in the Bug Bounty Program. By participating in the Bug Bounty Program, you represent and agree to be bound by these Bug Bounty Terms. By participating in the Bug Bounty Program, you agree to the Terms of Use and the Privacy Policy (the “Privacy Policy”). If you do not agree with the Terms of Use or Privacy Policy, then you should immediately stop using or accessing the Services and participating in the Bug Bounty Program.

1. ELIGIBILITY

Subject to these Bug Bounty Terms, to be eligible to participate in the Bug Bounty Program, during the period of your participation, you must:

• be of legal age in the jurisdiction in which you reside and you must have the legal capacity to enter into, and be bound by, these Bug Bounty Terms if you are participating in the Bug Bounty Program as an individual;

• have the legal authority to accept these Bug Bounty Terms on the applicable entity’s behalf, in which case “you” (except as used in this paragraph) will mean the foregoing entity if you are participating in the Bug Bounty Program as an entity;

• be the first person to report or disclose the vulnerability to dYdX Foundation in accordance with these Bug Bounty Terms, including by emailing sufficient information to legal@dydx.foundation;

• provide sufficient information to enable dYdX Foundation to reproduce and fix the applicable vulnerability;

• not engage in any unlawful conduct when discovering, reporting or disclosing the vulnerability to dYdX Foundation, including the use of threats, demands or any other coercive tactics;

• not have exploited or attempted to exploit the vulnerability in any way, including by making such vulnerability public or by obtaining a profit or other benefit (other than a payment under the Bug Bounty Program);

• make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any Services or Site (as defined in the Terms of Use), including using automated testing that generates significant amounts of traffic;

• submit only one (1) vulnerability per report or disclosure, unless you need to combine vulnerabilities to provide sufficient information with respect to any of the applicable vulnerabilities;

• not submit a vulnerability caused by the same underlying issue on which a payment has been provided under the Bug Bounty Program;

• not ask for payment in exchange for vulnerability details or dispute the applicability of the Bug Bounty Program to you, including the amount of any proposed or actual payment or categorization of a vulnerability; and

• not be a current or former employee (within 6 months), vendor, contractor, or agent for dYdX Foundation, or a current or former employee (within 6 months) of any of the foregoing.

dYdX Foundation reserves the right to limit or refuse your eligibility to participate in the Bug Bounty Program for any reason in its sole discretion, including but not limited to where your participation is prohibited by any Applicable Law. If dYdX Foundation becomes aware of any violation of these Bug Bounty Terms or the Terms of Use, dYdX Foundation may elect to, among other things, (a) prohibit you from using the Services or the Site; (b) withhold, amend or cancel the benefits of or payments under the Bug Bounty Program; or (c) require return of any payment made to you, including taking any action at law to obtain such payment.

2. SCOPE OF VULNERABILITIES

The following non-exhaustive types of vulnerabilities are excluded from any payments with respect to the Bug Bounty Program:

• vulnerabilities previously known to dYdX Foundation;

• vulnerabilities with respect to sites hosted by third parties unless such vulnerabilities lead to a vulnerability on the Site;

• vulnerabilities contingent on physical attack, social engineering, spamming, DDOS attack or other similar types of exploitation;

• vulnerabilities affecting outdated or unpatched browsers;

• vulnerabilities in third party applications that use dYdX Foundation API;

• vulnerabilities publicly disclosed in third-party libraries or technology used in the Services or the Site;

• vulnerabilities that require an improbable level of user interaction;

• vulnerabilities that require rooting or jailbreaking a mobile device;

• missing security headers without proof of exploitability;

• suggestions on best practices;

• software version disclosure;

• front end bugs;

• DDOS attacks;

• spamming;

• phishing;

• automated tools (github actions, aws); and

• compromise or misuse of third party systems or services.

dYdX Foundation reserves the right to determine whether a vulnerability is eligible for a payment under the Bug Bounty Program in its sole discretion.

3. DISCLOSURE AND REPORTING REQUIREMENTS

Any vulnerability discovered must be only reported to the following email: legal@dydx.foundation, and must comply with all other requirements in this Bug Bounty Program.

The vulnerability must not have been or be disclosed publicly or to any other persons before dYdX Foundation has been notified, has fixed the issue, and has granted permission, if at all, for such disclosure. The disclosure to dYdX Foundation must be made within twenty-four (24) hours following discovery of the applicable vulnerability. If similar vulnerabilities are reported within the applicable twenty-four (24)-hour period any payment may be split by dYdX Foundation between such reporters, or may be paid to the first person to make such report, and in either case shall be determined in the sole discretion of dYdX Foundation.

A detailed report of a vulnerability increases the likelihood of a payment and may increase the amount of such payment. Please provide as much information about the vulnerability as possible, including:

• the conditions on which reproducing the vulnerability is contingent;

• the steps needed to reproduce the vulnerability or, preferably, a proof of concept; and

• the potential implications of abusing the vulnerability.

4. PAYMENTS

Subject to these Bug Bounty Terms, you will receive payments based on the type of vulnerability reported or disclosed in accordance with Exhibit A. The categorization and amount of any payment will be determined at the sole discretion of dYdX Foundation, including without limitation eligibility for such payment, and the severity of any applicable vulnerability.

5. BUG BOUNTY PROGRAM ADMINISTRATION

dYdX Foundation reserves the right to administer the Bug Bounty Program in its sole discretion.

dYdX Foundation hereby reserves the right to amend, suspend or terminate the Bug Bounty Program at any time with or without prior notice or consent. dYdX Foundation further reserves the right to amend, withhold or cancel any Bug Bounty Program payments or benefits granted if dYdX Foundation becomes aware of any violation of these Bug Bounty Terms or the Terms of Use.

Administration of the Bug Bounty Program is at the sole discretion of dYdX Foundation, subject to the Applicable Law (as defined in the Terms of Use). Any questions relating to eligibility, or these Bug Bounty Terms or the Bug Bounty Program will be resolved by dYdX Foundation at dYdX Foundation’s sole discretion and its decision will be final and binding with respect thereto. If it is discovered by dYdX Foundation that you have or have attempted to violate these Bug Bounty Terms or the Terms of Use, then dYdX Foundation may disqualify you from any Bug Bounty Program payments or benefits in its sole discretion.

dYdX Foundation reserves the right to make awards that do not comply with every requirement herein, such as your failure to provide a detailed report of any vulnerability, or your failure to notify dYdX Foundation through the correct channel. Awards made pursuant to such exceptions made by dYdX Foundation do not constitute any waiver by dYdX Foundation of any other terms and conditions set forth herein.

6. PRIVACY

By participating in the Bug Bounty Program, you acknowledge and agree that any personal information that you provide will be maintained in accordance with the Privacy Policy. By participating in the Bug Bounty Program, you hereby (a) grant to dYdX Foundation the right to use your name, country of residence, email address and any other information you provide to dYdX Foundation (“Personal Information”) for the purpose of administering the Bug Bounty Program; (b) grant to dYdX Foundation the right to use your Personal Information for publicity, promotional, marketing and advertising purposes relating to the Bug Bounty Program, in any and all media now known or hereafter devised, without further compensation unless prohibited by Applicable Law; and (c) acknowledge that dYdX Foundation may disclose your Personal Information to its third-party agents and service providers in connection with any of the foregoing activities. dYdX Foundation will use your Personal Information only for the identified purposes and as contemplated in the Privacy Policy. Any conflict between the Privacy Policy and any authorization and/or licensing provided herein shall be governed by these Bug Bounty Terms.

If you access any personal information or other sensitive information for which you do not have authority to access, then you must immediately stop accessing such information and destroy all copies thereof. You must not provide such information to dYdX Foundation and must only provide dYdX Foundation a description thereof.

7. RELEASE AND PUBLICITY

YOU AGREE TO RELEASE AND HOLD HARMLESS DYDX FOUNDATION AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS FROM AND AGAINST ANY CLAIM OR CAUSE OF ACTION ARISING OUT OF YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND/OR ANY DETERMINATION MADE ABOUT YOUR ELIGIBILITY IN THE BUG BOUNTY PROGRAM OR ANY PAYMENT THEREUNDER THAT MAY OR MAY NOT BE DUE TO YOU. YOU AGREE THAT DYDX FOUNDATION AND ITS OFFICERS, DIRECTORS, EMPLOYEES, PARTNERS, AFFILIATED COMPANIES, SUBSIDIARIES, SUPPLIERS, DISTRIBUTORS, ADVERTISING AND PROMOTIONAL AGENCIES, AGENTS, SUCCESSORS AND ASSIGNS ARE NOT LIABLE FOR INJURIES, LOSSES OR DAMAGES OF ANY KIND ARISING FROM YOUR PARTICIPATION IN THE BUG BOUNTY PROGRAM AND ACCEPTANCE, POSSESSION AND USE OF THE BENEFITS OR PAYMENTS RECEIVED UNDER THE BUG BOUNTY PROGRAM. DYDX FOUNDATION IS NOT RESPONSIBLE FOR ANY TYPOGRAPHICAL OR OTHER ERROR IN THE PUBLICATION OF THESE BUG BOUNTY TERMS OR ADMINISTRATION OF THE BUG BOUNTY PROGRAM OR ANNOUNCEMENT THEREOF.

8. TAXES

You will be solely responsible for all income tax liabilities that arise from or in any way relate to any benefit or payment that dYdX Foundation conveys to you, including income taxes, sales, personal property, use, VAT, excise, withholding and self-employment taxes. dYdX Foundation has the right to withhold from any amounts payable to you such foreign, federal, state or local taxes as may be required to be withheld under any Applicable Law. You agree to report the value of the benefit or payment you receive from dYdX Foundation to all applicable legal and local authorities, and complete any required tax forms that dYdX Foundation requests be completed prior to or after receiving your benefit or payment.

9. GENERAL

Sections 11 through 18 of the Terms of Use are incorporated herein by reference, and you are equally subject to those provisions mutatis mutandis with respect to these Bug Bounty Terms and the Bug Bounty Program. Unless the context expressly otherwise requires, (a) wherever the word “include,” “includes” or “including” is used, it will be deemed to be followed by the words “without limitation”; and (b) the word “or” is not exclusive. dYdX Foundation may, with or without notice, revise these Bug Bounty Terms, including any benefits or payments, and publish amended versions thereof from time to time. Your participation or continued participation in the Bug Bounty Program constitute your acceptance of any amendments to these Bug Bounty Terms. dYdX Foundation may, in its sole discretion, amend or terminate the Bug Bounty Program at any time with or without notice, and your continued use of the dYdX Foundation websites or participation in the Bug Bounty Program after such amendment shall constitute acceptance of all amended terms.

EXHIBIT A

BUG BOUNTY PAYMENTS