IMPORTANT: By initiating any security review of the "Product" (as defined below), you ("Reviewer") expressly agree to comply fully with all terms and conditions set forth in this Policy. If you cannot or will not adhere to these terms, you must refrain from conducting any security review and remove our Product from your systems. Purpose and Legitimate Interest This Policy ensures that every external assessment of PC APP STORE (the "Product") is technically accurate, reproducible and responsibly disclosed, thereby protecting endusers from genuine threats while safeguarding the Company's commercial reputation and contractual pipeline. 18.1. DEFINITIONS Product(s): All software files, executables, source code, build artefacts, servers, cloud environments, domains, URLs, digital signatures, billing infrastructure, CDNs, hosting platforms, associated libraries and any other element related directly or indirectly to PC APP STORE. Flag / Detection / Classification ("Flag"): Any marking, notification, alert, label, naming convention, coding, publication, or any other designation, whether automated or manual, that might convey or imply to end users or the public that an issue, security risk, or negative condition exists in or about the Product. Responsible Entity: Any individual, organization, or team member involved in conducting or commissioning a security review of the Product. Legitimate and Recognised Security Entity ("LRSE"): A Responsible Entity possessing proprietary technology, direct expertise and demonstrated capability to produce a Substantiated Detection (see 18.1 Section. 5). Substantiated Detection: A Flag supported by a Supporting Evidence Package (see 18.5 Section.3). 18.2. LEGITIMATE AND RECOGNIZED SECURITY ENTITIES ("LRSE") Authorized Organizations: Only Legitimate and Recognized Security Entities ("LRSE") - defined as those possessing proprietary technology, direct technical expertise, and established capabilities for thorough security reviews-are authorized to conduct assessments of the Product. Exclusion of Inadequate Capabilities: Any entity or individual primarily relying on superficial scanning tools, heuristic-based third-party systems, or methods that cannot substantiate findings down to the source-code level is not considered a Legitimate and Recognized Security Entity. Such entities are expressly prohibited from conducting, disclosing, or publicly reporting on any security assessment of the Product. Whitelisting Requirement for Insufficient Expertise: If you or your organization lack the requisite capability or expertise to conduct a comprehensive code-level review, you agree to whitelist the Product in any detection systems you control and to refrain from issuing or publicly sharing any Flag regarding the Product. 18.3. PERMISSIBLE AND VALID SECURITY ACTIVITIES Legitimate and Recognized Security Entities may perform only the following assessments, provided such activities are conducted responsibly and do not disrupt, degrade, or otherwise harm the Product's operations or availability (e.g., no Distributed Denial of Service, brute force, hacking intrusions, or destructive injections). The following are considered Valid Security Activities: Vulnerability Assessments: Identification of potential security flaws-such as buffer overflows, SQL injections, cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE), directory traversal, insecure direct object references (IDOR), authentication/authorization weaknesses, and configuration errors-carried out without disruption to the Product. Zero-Day Vulnerabilities: Discovery and responsible disclosure of previously unknown vulnerabilities for which no patch exists, adhering to confidential and timely reporting obligations (see Section 18.5). Supply Chain Security Assessments: Evaluation of the Product's dependencies, build processes, or third-party components to identify malicious code injections, dependency confusion risks, or other supply-chain-related vulnerabilities. Code Reviews and Secure Development Practices: Analysis of the Product's source code for insecure coding patterns, logic flaws, unsafe use of libraries/frameworks, or unintended exposure of sensitive information (e.g., credentials), focusing exclusively on legitimate security issues. Infrastructure and Configuration Security Reviews: Assessment of cloud configurations, API security, credential management, privilege settings, file permissions, TLS/SSL implementations, and similar infrastructure-related security measures, provided such assessments do not compromise the Product's performance or availability. Identity and Access Management (IAM) Assessments: Identification of vulnerabilities in privilege escalation, incorrect permission assignments, weak authentication, or lack of adequate security controls (such as MFA), executed without negatively impacting the service or user experience. Penetration Testing: Simulated attack scenarios (including social engineering and internal/external network security tests) performed responsibly to avoid any substantial service interruption or data compromise. 18.4. PROHIBITED AND INVALID ACTIVITIES Any activity outside the scope described in Section 18.3 or violating the conditions of this Policy is strictly prohibited and considered Invalid. Prohibited activities include, but are not limited to: Unauthorized Scope: Conducting or reporting on any review, scan, or test beyond what is explicitly permitted under Section 18.3. Partial or Superficial Reviews: Using pattern-based, probabilistic, or heuristic-only checks (e.g., antivirus heuristics, generic scans, or incomplete data) without comprehensive code-level analysis. Commercial Self-Promotion: Using the Product's findings, real or alleged, to market, advertise, or promote your own security products or services. Non-Security Criteria Assessments: Issuing any Flag based on subjective or extraneous factors such as EULA terms, user interface preferences, commercial or business models, pricing, partnerships, or marketing strategies. Only objective, security-related criteria may be used to justify a Flag. Nonobjective Criteria: Applying criteria to the Product that you do not uniformly apply to other products under similar review. Any selective or biased evaluation standard is strictly prohibited. Monetization or Exploitation of Findings: Leveraging discovered issues or reports for SEO, advertising, self-publication, or any form of publicity, including but not limited to social media posts, press releases, or promotional campaigns. 18.5. IMMEDIATE DISCLOSURE REQUIREMENT Timeliness of Disclosure: Failure to promptly disclose vulnerabilities or deliberately withholding critical security details can endanger our end users and may constitute criminal conduct under applicable law. Mandatory 12-Hour Notification: Any detections, discovered vulnerabilities, or security issues must be reported to support@veryfast.io no later than 12 hours after initial discovery. Report Format and Content: Disclosures must provide a "Supporting Evidence Package" in alignment with ISO/IEC 29147 (or equivalent industry best practices) and must include the following details to be deemed valid: * Reporter's full name, position, company, email address, and phone number. * The exact source from which the Product/file was obtained. * Product name, file name, and version under review. * Detailed description of the testing environment (OS, network architecture, etc.). * Security tools or methodologies used (names and versions). * Exact reproduction steps or exploit proof-of-concept. * Objective justification for classifying the vulnerability as a security issue. * References to relevant standards, specifications, and/or objective criteria. * Incomplete or Non-Compliant Reports: Any report lacking the details above is deemed incomplete and will be considered void until the missing information is fully provided. 18.6. REMEDIATION A Valid remediation: Before the Remediation Period commences, both Reviewer and Company must mutually agree that the reported issue constitutes a legitimate and valid security vulnerability, and not one that is invalid (see 18.4). Remediation Period Commencement: The Remediation Period begins immediately upon your initial detection of a purported security issue-regardless of whether the issue is ultimately deemed valid or invalid. Cooperation and Assistance: You are required to provide all additional details, clarifications, and retesting support necessary for us to address the issue effectively. Minimum Remediation Timeline: The minimum Remediation Period is 90 days, commencing after you have actively cooperated by providing all required information. We reserve the right to extend the period if the issue proves complex or necessitates third-party coordination. Prohibition on Flagging Post-Remediation: Upon successful remediation of any valid issue, you shall not Flag or classify the Product for that issue or any derivative thereof. 18.7. NON-DISCLOSURE Confidentiality Obligation: You agree to maintain strict confidentiality regarding any discovered vulnerability or security issue for the entire duration of the Remediation Period. No Public Disclosure: During the Remediation Period, you must not publicly disclose, discuss, or disseminate any details of the issue, including but not limited to posting on forums, social media, or security mailing lists. 18.8. UNIVERSAL APPLICABILITY Superseding Prior Agreements: This Policy overrides any prior agreements, contracts, or understandings relating to security reviews of the Product. Method of Acquisition Irrelevant: These terms apply in all cases, including but not limited to when the Product is obtained via direct download, third-party distribution, client materials, automated scanning tools, AI systems, machine-learning models, or any other channel. Continuous Liability: You remain bound by these obligations regardless of how or when you acquired or analyzed the Product. Any attempt to circumvent these obligations by indirect means is void. Removal if Non-Compliance: If you are unable or unwilling to comply fully with these terms, you must immediately remove all instances of the Product, related materials, and any derivatives from your environment and ensure your platforms do not collect, scan, or review the Product in the future. 18.9. LIQUIDATED DAMAGES AND INDEMNITY For any Triggering Event-public distribution of a Flag without adhering to this agreement-Reviewer shall immediately pay initial damages of 250,000 GBP for incident response costs. Reviewer shall pay ongoing monthly damages calculated as (3 GBP * N) average acquisition cost + (7 GBP * N) minimum lifetime profit value, where N equals unique endpoints that received the Flag. This ongoing monthly damage payment continues until Reviewer retracts the Flag from all public distribution. Parties acknowledge that the damages calculated above represent direct and documented costs incurred by the Company. Reviewer accepts the Company's calculations regarding the number of affected endpoints (N) as final and binding. If Reviewer retracts the Flag from all public feeds within 48 hours upon Company notification, liability under this clause is limited to direct, documented expenses. Scope of Liability: Liability extends to cover all losses, harms, or damages arising directly or indirectly from the breach, including but not limited to reputational harm, financial losses, and any costs associated with remediation or legal actions. 18.10. SAFE HARBOR Provided Reviewer complies with all requirements in this Section 18, the Company waives claims under the Computer Misuse Act 1990, the U.S. CFAA, or DMCA Section. 1201 for necessary acts performed during permitted tests. 18.11. AUTHORITY AND BINDING AGREEMENT Representation and Warranty of Authority: By conducting any security review of the Product, you represent and warrant that you have the full legal authority to accept these terms, both on your own behalf and on behalf of your employer or principal organization, if applicable. Electronic Agent Authorization and Responsibility: According to Section 14 ("Automated Transactions") of the Uniform Electronic Transactions Act (UETA), you expressly agree that any action performed by an electronic agent, robot, or automated system programmed, selected, or utilized by you-including clicking "I Agree" or executing similar electronic confirmations-shall be deemed your direct action. You hereby assume full responsibility and liability for all outcomes resulting from such electronic agent actions. Binding Nature: These terms form a legally binding agreement between you and Fast Corporation LTD (the "Company"). Any unauthorized or noncompliant conduct will be subject to the remedies outlined herein and any other remedies available under law. 18.12. GOVERNING LAW AND JURISDICTION Choice of Law: This Policy and all disputes arising therefrom or related thereto shall be exclusively governed by and construed in accordance with the laws of England and Wales. Forum Selection: The courts of England and Wales shall have exclusive jurisdiction over any claim, controversy, or dispute arising under or related to this Policy. BY INITIATING ANY SECURITY REVIEW OF THE PRODUCT, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY ALL OF THE ABOVE TERMS. Contact: support@veryfast.io Security Review Policy: https://veryfast.io?p=lp_veryfast_tos_r1