Skip to content
← Policies

Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement

Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement

This Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement (“Agreement”) is entered into by and between Sycamore Labs, Inc., a Delaware corporation (“Company”), and the individual identified below (“Researcher”).

In connection with the Company’s Bug Bounty Program (the “Program”), Researcher has submitted a report identifying a potential security vulnerability in the Company’s systems. In consideration of any bounty payment and the mutual promises set forth herein, the parties agree as follows:

1. Definitions

“Proprietary Information” means any and all business, technical, security, or other information, materials, and ideas disclosed to or discovered by Researcher in connection with the Program, including, without limitation, vulnerability details, exploit code, proof-of-concept materials, system architecture, configurations, source code, data, security posture, remediation strategies, and anything Researcher learns or discovers as a result of exposure to or analysis of any Proprietary Information.

“Report” means the vulnerability report, proof-of-concept code, exploit code, tools, scripts, analysis, documentation, screenshots, recordings, and any other materials submitted by Researcher to the Company in connection with the Program.

“Bounty Payment” means the monetary payment, if any, made by the Company to Researcher in connection with a valid vulnerability report under the Program.

2. Confidentiality

Researcher will hold in strict confidence and will not use (except as required to submit and support the Report) or disclose any Proprietary Information, except information Researcher can document: (a) is in the public domain through no fault of Researcher, (b) was properly known to Researcher, without restriction, prior to disclosure by Company, or (c) was properly disclosed to Researcher by another person without restriction and without breach of any obligation of confidentiality.

Researcher will not reverse engineer or attempt to derive the composition or underlying information, structure, or ideas of any Proprietary Information beyond what is strictly necessary to identify and demonstrate the reported vulnerability. The foregoing does not grant Researcher a license in or to any of the Proprietary Information.

Researcher understands that this Agreement does not obligate the Company to disclose any information or negotiate or enter into any agreement or relationship. Researcher will strictly abide by any and all instructions and restrictions provided by the Company from time to time with respect to Proprietary Information or Company systems. Researcher will ensure the security of any facilities, machines, accounts, passwords, and methods Researcher uses to store any Proprietary Information or to access Company systems and ensure that no other person has or obtains access thereto.

Researcher will promptly notify the Company of any unauthorized release, disclosure, or use of Proprietary Information.

3. Non-Disclosure and Embargo

Researcher shall not disclose, publish, present, discuss, or otherwise make available to any third party — whether publicly or privately — any Proprietary Information, including but not limited to the existence, nature, details, or impact of any vulnerability reported under the Program, without the prior written consent of the Company.

This obligation applies without limitation in time and regardless of whether the Company has remediated the vulnerability. Researcher may not impose deadlines or timelines on the Company for remediation or disclosure.

4. Intellectual Property Assignment

Researcher hereby irrevocably assigns to the Company all right, title, and interest in and to the Report, including all intellectual property rights therein (including patent, copyright, trade secret, and any other proprietary rights), throughout the world in perpetuity. Researcher agrees to execute any additional documents and take any further actions reasonably requested by the Company to effectuate, perfect, or confirm this assignment.

Researcher represents and warrants that the Report is Researcher’s original work, does not infringe or misappropriate any third-party intellectual property rights, and that Researcher has full authority to make this assignment.

5. Prior Disclosure Representation

Researcher represents and warrants that, prior to executing this Agreement: (a) Researcher has not disclosed the vulnerability or any Proprietary Information to any third party, including but not limited to other researchers, journalists, competitors, or the public; and (b) no third party has access to the Report or any materials derived therefrom.

If this representation is found to be false, the Company may, at its sole discretion, void the Bounty Payment and exercise all remedies available under this Agreement and applicable law, including clawback of any amounts paid.

6. Release of Claims

Researcher, on behalf of themselves and their heirs, successors, and assigns, hereby irrevocably and unconditionally releases, acquits, and forever discharges the Company and its officers, directors, employees, agents, affiliates, successors, and assigns from any and all claims, demands, damages, actions, causes of action, suits, costs, expenses, and liabilities of any kind or nature whatsoever, whether known or unknown, suspected or unsuspected, that Researcher now has, has ever had, or may hereafter have, arising out of or relating to the vulnerability, the Report, the Bounty Payment, or Researcher’s participation in the Program.

Waiver of California Civil Code Section 1542. Researcher expressly waives and relinquishes all rights and benefits under Section 1542 of the California Civil Code, which provides:

“A general release does not extend to claims that the releasing party or the releasing party’s successor in interest does not know or suspect to exist in his or her favor at the time of executing the release and that, if known by him or her, would have materially affected his or her settlement with the released party.”

Researcher acknowledges that this waiver is an essential and material term of this Agreement and that, without such waiver, the Company would not have agreed to enter into this Agreement.

7. Compensation

The Bounty Payment, if any, constitutes the sole and complete consideration for Researcher’s Report, the assignment of intellectual property rights, the release of claims, and all other obligations assumed by Researcher under this Agreement. Researcher shall have no right to any additional payment, royalty, bonus, credit, recognition, or other compensation from the Company in connection with the vulnerability or the Report.

8. Sole Discretion

The Company shall determine, in its sole and absolute discretion, the validity, severity, and impact of any reported vulnerability, whether a Bounty Payment will be made, and the amount of any such payment. The Company’s determinations regarding eligibility, duplicates, severity classification, and payout amounts are final and binding. Submission of a Report does not guarantee payment.

9. Clawback and Liquidated Damages

In the event of any breach of this Agreement by Researcher, the Company shall be entitled to: (a) immediate return of the full Bounty Payment; (b) injunctive and equitable relief without the necessity of proving actual damages or posting a bond; and (c) recovery of all damages, costs, and expenses (including reasonable attorneys’ fees) arising from such breach.

Researcher acknowledges and agrees that due to the unique nature of the Proprietary Information, any breach of this Agreement would cause irreparable harm to the Company for which monetary damages alone are not an adequate remedy.

10. Cooperation

For a period of ninety (90) days following execution of this Agreement, Researcher agrees to reasonably cooperate with the Company’s efforts to understand, reproduce, validate, and remediate the reported vulnerability, including answering follow-up questions, providing additional technical details, and verifying fixes. Such cooperation shall be provided at no additional cost to the Company.

11. Compliance and Rules of Engagement

Researcher represents and warrants that all testing and research activities conducted in connection with the Report were performed in compliance with: (a) the Company’s Bug Bounty Program policy, including all Rules of Engagement; (b) all applicable federal, state, local, and international laws and regulations; and (c) the Company’s Terms of Use.

Researcher acknowledges that the Company’s Safe Harbor provision, as described in the Bug Bounty Program policy, applies only to activities conducted in good faith and in compliance with this Agreement and the Program policy. Any violation of the Rules of Engagement or applicable law may, at the Company’s sole discretion, void all protections under the Program and this Agreement.

12. Return and Destruction of Proprietary Information

If requested by the Company, Researcher shall promptly return all Proprietary Information and all copies, extracts, and other objects or items in which Proprietary Information may be contained or embodied.

In addition, within seven (7) days of executing this Agreement (or upon earlier request by the Company), Researcher shall permanently and irrevocably destroy all copies of Proprietary Information in Researcher’s possession or control, including but not limited to: vulnerability details, exploit code, proof-of-concept materials, Company data, credentials, tokens, API keys, session artifacts, screenshots, recordings, notes, and any derivatives thereof, in any form and on any medium (including local storage, cloud storage, code repositories, note-taking applications, email, and messaging platforms).

Researcher shall not retain any copies, excerpts, summaries, or derivatives of Proprietary Information in any form after such return or destruction.

Within seven (7) days of completing destruction, Researcher shall provide the Company with a signed written certification confirming that all Proprietary Information has been destroyed in accordance with this section.

13. Eligibility and Sanctions Compliance

Researcher represents and warrants that: (a) Researcher is at least eighteen (18) years of age or the age of majority in Researcher’s jurisdiction, whichever is greater; (b) Researcher is not a resident of, located in, or organized under the laws of any country or territory subject to comprehensive sanctions administered by the U.S. Office of Foreign Assets Control (“OFAC”), including but not limited to Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions; (c) Researcher is not identified on any U.S. or applicable sanctions or denied-party list, including the OFAC Specially Designated Nationals and Blocked Persons List; and (d) Researcher is legally permitted to receive the Bounty Payment under all applicable laws and regulations.

14. Indemnification

Researcher shall indemnify, defend, and hold harmless the Company and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all third-party claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to: (a) Researcher’s testing or research activities; (b) any breach of this Agreement by Researcher; (c) any negligent or wrongful act or omission of Researcher; or (d) any claim that the Report or any materials provided by Researcher infringe or misappropriate any third-party intellectual property or proprietary rights.

15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY’S TOTAL AGGREGATE LIABILITY TO RESEARCHER ARISING OUT OF OR RELATING TO THIS AGREEMENT, THE PROGRAM, OR THE BOUNTY PAYMENT SHALL NOT EXCEED THE AMOUNT OF THE BOUNTY PAYMENT ACTUALLY PAID TO RESEARCHER.

IN NO EVENT SHALL THE COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA, OR GOODWILL, ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

16. Non-Disparagement

Researcher agrees not to make, publish, or communicate any disparaging, defamatory, or derogatory statements, whether written or oral, about the Company, its products, services, security posture, officers, directors, employees, or agents, including on social media, blogs, forums, conferences, or in communications with the press.

17. Non-Solicitation

Until one (1) year after the later of (i) the date of this Agreement or (ii) the last disclosure of Proprietary Information to Researcher, Researcher will not, directly or indirectly, encourage or solicit any employee or consultant of the Company to leave the Company for any reason.

18. Independent Contractor

Researcher is an independent contractor and nothing in this Agreement shall be construed to create an employment, agency, partnership, joint venture, or franchise relationship between Researcher and the Company. Researcher is solely responsible for all tax obligations arising from the Bounty Payment. The Company will not withhold taxes from the Bounty Payment and will issue applicable tax reporting forms (e.g., IRS Form 1099-MISC or Form 1099-NEC for U.S. persons) as required by law.

19. No Assignment

This Agreement is personal to Researcher and may not be assigned, transferred, or delegated by Researcher, in whole or in part, to any third party without the prior written consent of the Company. Any attempted assignment in violation of this section shall be null and void.

If Researcher receives any subpoena, court order, governmental request, or other legal process that would or could compel the disclosure of any Proprietary Information, Researcher shall promptly notify the Company in writing (and in any event no later than forty-eight (48) hours after receipt, or sooner if required by the timeline of the legal process) so that the Company may seek a protective order or other appropriate remedy. Researcher shall cooperate with the Company in resisting or narrowing such disclosure to the maximum extent permitted by law.

21. Equitable Relief

Researcher acknowledges and agrees that due to the unique nature of the Proprietary Information, any breach of this Agreement would cause irreparable harm to the Company for which damages are not an adequate remedy, and that the Company shall therefore be entitled to equitable relief, including injunctive relief and specific performance, in addition to all other remedies available at law or in equity, without the necessity of proving actual damages or posting a bond.

22. Governing Law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the internal laws of the State of California, without regard to its conflict of laws principles. Any dispute arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California, and each party consents to the personal jurisdiction of such courts. The prevailing party in any dispute or legal action regarding the subject matter of this Agreement shall be entitled to recover reasonable attorneys’ fees and costs.

23. Entire Agreement

This Agreement, together with the Company’s Bug Bounty Program policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous negotiations, representations, warranties, understandings, and agreements, whether written or oral. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by both parties.

24. Severability

If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, such provision shall be severed and the remaining provisions shall continue in full force and effect.

25. Survival

The following sections shall survive the termination or expiration of this Agreement: Confidentiality (Section 2), Non-Disclosure and Embargo (Section 3), Intellectual Property Assignment (Section 4), Prior Disclosure Representation (Section 5), Release of Claims (Section 6), Clawback and Liquidated Damages (Section 9), Indemnification (Section 14), Limitation of Liability (Section 15), Non-Disparagement (Section 16), Non-Solicitation (Section 17), Notification of Legal Process (Section 20), Equitable Relief (Section 21), Governing Law and Dispute Resolution (Section 22), and this Section 25.

Acknowledged and Agreed

Date: [_____________], 2026

Researcher

Name (Print): ______________________________

Signature: ______________________________

Email: ______________________________

Sycamore Labs, Inc.

Name (Print): ______________________________

Title: ______________________________

Signature: ______________________________

# Policy: Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement

## Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement

This Bug Bounty Non-Disclosure and Vulnerability Disclosure Agreement ("Agreement") is entered into by and between Sycamore Labs, Inc., a Delaware corporation ("Company"), and the individual identified below ("Researcher").

In connection with the Company's Bug Bounty Program (the "Program"), Researcher has submitted a report identifying a potential security vulnerability in the Company's systems. In consideration of any bounty payment and the mutual promises set forth herein, the parties agree as follows:

---

### 1. Definitions

**"Proprietary Information"** means any and all business, technical, security, or other information, materials, and ideas disclosed to or discovered by Researcher in connection with the Program, including, without limitation, vulnerability details, exploit code, proof-of-concept materials, system architecture, configurations, source code, data, security posture, remediation strategies, and anything Researcher learns or discovers as a result of exposure to or analysis of any Proprietary Information.

**"Report"** means the vulnerability report, proof-of-concept code, exploit code, tools, scripts, analysis, documentation, screenshots, recordings, and any other materials submitted by Researcher to the Company in connection with the Program.

**"Bounty Payment"** means the monetary payment, if any, made by the Company to Researcher in connection with a valid vulnerability report under the Program.

---

### 2. Confidentiality

Researcher will hold in strict confidence and will not use (except as required to submit and support the Report) or disclose any Proprietary Information, except information Researcher can document: (a) is in the public domain through no fault of Researcher, (b) was properly known to Researcher, without restriction, prior to disclosure by Company, or (c) was properly disclosed to Researcher by another person without restriction and without breach of any obligation of confidentiality.

Researcher will not reverse engineer or attempt to derive the composition or underlying information, structure, or ideas of any Proprietary Information beyond what is strictly necessary to identify and demonstrate the reported vulnerability. The foregoing does not grant Researcher a license in or to any of the Proprietary Information.

Researcher understands that this Agreement does not obligate the Company to disclose any information or negotiate or enter into any agreement or relationship. Researcher will strictly abide by any and all instructions and restrictions provided by the Company from time to time with respect to Proprietary Information or Company systems. Researcher will ensure the security of any facilities, machines, accounts, passwords, and methods Researcher uses to store any Proprietary Information or to access Company systems and ensure that no other person has or obtains access thereto.

Researcher will promptly notify the Company of any unauthorized release, disclosure, or use of Proprietary Information.

---

### 3. Non-Disclosure and Embargo

Researcher shall not disclose, publish, present, discuss, or otherwise make available to any third party — whether publicly or privately — any Proprietary Information, including but not limited to the existence, nature, details, or impact of any vulnerability reported under the Program, without the prior written consent of the Company.

This obligation applies without limitation in time and regardless of whether the Company has remediated the vulnerability. Researcher may not impose deadlines or timelines on the Company for remediation or disclosure.

---

### 4. Intellectual Property Assignment

Researcher hereby irrevocably assigns to the Company all right, title, and interest in and to the Report, including all intellectual property rights therein (including patent, copyright, trade secret, and any other proprietary rights), throughout the world in perpetuity. Researcher agrees to execute any additional documents and take any further actions reasonably requested by the Company to effectuate, perfect, or confirm this assignment.

Researcher represents and warrants that the Report is Researcher's original work, does not infringe or misappropriate any third-party intellectual property rights, and that Researcher has full authority to make this assignment.

---

### 5. Prior Disclosure Representation

Researcher represents and warrants that, prior to executing this Agreement: (a) Researcher has not disclosed the vulnerability or any Proprietary Information to any third party, including but not limited to other researchers, journalists, competitors, or the public; and (b) no third party has access to the Report or any materials derived therefrom.

If this representation is found to be false, the Company may, at its sole discretion, void the Bounty Payment and exercise all remedies available under this Agreement and applicable law, including clawback of any amounts paid.

---

### 6. Release of Claims

Researcher, on behalf of themselves and their heirs, successors, and assigns, hereby irrevocably and unconditionally releases, acquits, and forever discharges the Company and its officers, directors, employees, agents, affiliates, successors, and assigns from any and all claims, demands, damages, actions, causes of action, suits, costs, expenses, and liabilities of any kind or nature whatsoever, whether known or unknown, suspected or unsuspected, that Researcher now has, has ever had, or may hereafter have, arising out of or relating to the vulnerability, the Report, the Bounty Payment, or Researcher's participation in the Program.

**Waiver of California Civil Code Section 1542.** Researcher expressly waives and relinquishes all rights and benefits under Section 1542 of the California Civil Code, which provides:

> "A general release does not extend to claims that the releasing party or the releasing party's successor in interest does not know or suspect to exist in his or her favor at the time of executing the release and that, if known by him or her, would have materially affected his or her settlement with the released party."

Researcher acknowledges that this waiver is an essential and material term of this Agreement and that, without such waiver, the Company would not have agreed to enter into this Agreement.

---

### 7. Compensation

The Bounty Payment, if any, constitutes the sole and complete consideration for Researcher's Report, the assignment of intellectual property rights, the release of claims, and all other obligations assumed by Researcher under this Agreement. Researcher shall have no right to any additional payment, royalty, bonus, credit, recognition, or other compensation from the Company in connection with the vulnerability or the Report.

---

### 8. Sole Discretion

The Company shall determine, in its sole and absolute discretion, the validity, severity, and impact of any reported vulnerability, whether a Bounty Payment will be made, and the amount of any such payment. The Company's determinations regarding eligibility, duplicates, severity classification, and payout amounts are final and binding. Submission of a Report does not guarantee payment.

---

### 9. Clawback and Liquidated Damages

In the event of any breach of this Agreement by Researcher, the Company shall be entitled to: (a) immediate return of the full Bounty Payment; (b) injunctive and equitable relief without the necessity of proving actual damages or posting a bond; and (c) recovery of all damages, costs, and expenses (including reasonable attorneys' fees) arising from such breach.

Researcher acknowledges and agrees that due to the unique nature of the Proprietary Information, any breach of this Agreement would cause irreparable harm to the Company for which monetary damages alone are not an adequate remedy.

---

### 10. Cooperation

For a period of ninety (90) days following execution of this Agreement, Researcher agrees to reasonably cooperate with the Company's efforts to understand, reproduce, validate, and remediate the reported vulnerability, including answering follow-up questions, providing additional technical details, and verifying fixes. Such cooperation shall be provided at no additional cost to the Company.

---

### 11. Compliance and Rules of Engagement

Researcher represents and warrants that all testing and research activities conducted in connection with the Report were performed in compliance with: (a) the Company's Bug Bounty Program policy, including all Rules of Engagement; (b) all applicable federal, state, local, and international laws and regulations; and (c) the Company's Terms of Use.

Researcher acknowledges that the Company's Safe Harbor provision, as described in the Bug Bounty Program policy, applies only to activities conducted in good faith and in compliance with this Agreement and the Program policy. Any violation of the Rules of Engagement or applicable law may, at the Company's sole discretion, void all protections under the Program and this Agreement.

---

### 12. Return and Destruction of Proprietary Information

If requested by the Company, Researcher shall promptly return all Proprietary Information and all copies, extracts, and other objects or items in which Proprietary Information may be contained or embodied.

In addition, within seven (7) days of executing this Agreement (or upon earlier request by the Company), Researcher shall permanently and irrevocably destroy all copies of Proprietary Information in Researcher's possession or control, including but not limited to: vulnerability details, exploit code, proof-of-concept materials, Company data, credentials, tokens, API keys, session artifacts, screenshots, recordings, notes, and any derivatives thereof, in any form and on any medium (including local storage, cloud storage, code repositories, note-taking applications, email, and messaging platforms).

Researcher shall not retain any copies, excerpts, summaries, or derivatives of Proprietary Information in any form after such return or destruction.

Within seven (7) days of completing destruction, Researcher shall provide the Company with a signed written certification confirming that all Proprietary Information has been destroyed in accordance with this section.

---

### 13. Eligibility and Sanctions Compliance

Researcher represents and warrants that: (a) Researcher is at least eighteen (18) years of age or the age of majority in Researcher's jurisdiction, whichever is greater; (b) Researcher is not a resident of, located in, or organized under the laws of any country or territory subject to comprehensive sanctions administered by the U.S. Office of Foreign Assets Control ("OFAC"), including but not limited to Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions; (c) Researcher is not identified on any U.S. or applicable sanctions or denied-party list, including the OFAC Specially Designated Nationals and Blocked Persons List; and (d) Researcher is legally permitted to receive the Bounty Payment under all applicable laws and regulations.

---

### 14. Indemnification

Researcher shall indemnify, defend, and hold harmless the Company and its officers, directors, employees, agents, affiliates, successors, and assigns from and against any and all third-party claims, demands, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees) arising out of or relating to: (a) Researcher's testing or research activities; (b) any breach of this Agreement by Researcher; (c) any negligent or wrongful act or omission of Researcher; or (d) any claim that the Report or any materials provided by Researcher infringe or misappropriate any third-party intellectual property or proprietary rights.

---

### 15. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY'S TOTAL AGGREGATE LIABILITY TO RESEARCHER ARISING OUT OF OR RELATING TO THIS AGREEMENT, THE PROGRAM, OR THE BOUNTY PAYMENT SHALL NOT EXCEED THE AMOUNT OF THE BOUNTY PAYMENT ACTUALLY PAID TO RESEARCHER.

IN NO EVENT SHALL THE COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, OR DAMAGES FOR LOSS OF PROFITS, REVENUE, DATA, OR GOODWILL, ARISING OUT OF OR RELATING TO THIS AGREEMENT, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF THE COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

---

### 16. Non-Disparagement

Researcher agrees not to make, publish, or communicate any disparaging, defamatory, or derogatory statements, whether written or oral, about the Company, its products, services, security posture, officers, directors, employees, or agents, including on social media, blogs, forums, conferences, or in communications with the press.

---

### 17. Non-Solicitation

Until one (1) year after the later of (i) the date of this Agreement or (ii) the last disclosure of Proprietary Information to Researcher, Researcher will not, directly or indirectly, encourage or solicit any employee or consultant of the Company to leave the Company for any reason.

---

### 18. Independent Contractor

Researcher is an independent contractor and nothing in this Agreement shall be construed to create an employment, agency, partnership, joint venture, or franchise relationship between Researcher and the Company. Researcher is solely responsible for all tax obligations arising from the Bounty Payment. The Company will not withhold taxes from the Bounty Payment and will issue applicable tax reporting forms (e.g., IRS Form 1099-MISC or Form 1099-NEC for U.S. persons) as required by law.

---

### 19. No Assignment

This Agreement is personal to Researcher and may not be assigned, transferred, or delegated by Researcher, in whole or in part, to any third party without the prior written consent of the Company. Any attempted assignment in violation of this section shall be null and void.

---

### 20. Notification of Legal Process

If Researcher receives any subpoena, court order, governmental request, or other legal process that would or could compel the disclosure of any Proprietary Information, Researcher shall promptly notify the Company in writing (and in any event no later than forty-eight (48) hours after receipt, or sooner if required by the timeline of the legal process) so that the Company may seek a protective order or other appropriate remedy. Researcher shall cooperate with the Company in resisting or narrowing such disclosure to the maximum extent permitted by law.

---

### 21. Equitable Relief

Researcher acknowledges and agrees that due to the unique nature of the Proprietary Information, any breach of this Agreement would cause irreparable harm to the Company for which damages are not an adequate remedy, and that the Company shall therefore be entitled to equitable relief, including injunctive relief and specific performance, in addition to all other remedies available at law or in equity, without the necessity of proving actual damages or posting a bond.

---

### 22. Governing Law and Dispute Resolution

This Agreement shall be governed by and construed in accordance with the internal laws of the State of California, without regard to its conflict of laws principles. Any dispute arising out of or relating to this Agreement shall be subject to the exclusive jurisdiction of the state and federal courts located in San Francisco County, California, and each party consents to the personal jurisdiction of such courts. The prevailing party in any dispute or legal action regarding the subject matter of this Agreement shall be entitled to recover reasonable attorneys' fees and costs.

---

### 23. Entire Agreement

This Agreement, together with the Company's Bug Bounty Program policy, constitutes the entire agreement between the parties with respect to the subject matter hereof and supersedes all prior and contemporaneous negotiations, representations, warranties, understandings, and agreements, whether written or oral. No modification, amendment, or waiver of any provision of this Agreement shall be effective unless in writing and signed by both parties.

---

### 24. Severability

If any provision of this Agreement is found by a court of competent jurisdiction to be invalid, illegal, or unenforceable, such provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable, or if such modification is not possible, such provision shall be severed and the remaining provisions shall continue in full force and effect.

---

### 25. Survival

The following sections shall survive the termination or expiration of this Agreement: Confidentiality (Section 2), Non-Disclosure and Embargo (Section 3), Intellectual Property Assignment (Section 4), Prior Disclosure Representation (Section 5), Release of Claims (Section 6), Clawback and Liquidated Damages (Section 9), Indemnification (Section 14), Limitation of Liability (Section 15), Non-Disparagement (Section 16), Non-Solicitation (Section 17), Notification of Legal Process (Section 20), Equitable Relief (Section 21), Governing Law and Dispute Resolution (Section 22), and this Section 25.

---

### Acknowledged and Agreed

**Date:** \[\_\_\_\_\_\_\_\_\_\_\_\_\_\], 2026

**Researcher**

Name (Print): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Email: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

**Sycamore Labs, Inc.**

Name (Print): \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Title: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

Signature: \_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_