Solution Purpose and Authorized Use:
Fortra licenses the Cobalt Strike and/or the Outflank Security Tooling (“OST”) and/or the Core Impact solutions (the “Solutions”) for lawful and ethical penetration testing and/or red teaming purposes to approved customers and Authorized Users. The Solutions are meant for use by an extremely technical and skilled end-user, and it is up to You to make sure that either Solution meets Your needs and behaves in a safe manner for Your authorized and approved use cases as evidenced in the End-Use Statement. You acknowledge and agree that Fortra disclaims all liability for damages caused by Your use of the Solutions, even if Fortra has been advised of such potential damages. Please make sure You read through, understand, and agree with these terms before you access and/or use the Solutions.
You agree to provide Fortra with any information reasonably requested by Fortra about Your use of the Solutions, including, but not limited to, an executed End-Use Statement.
License Term/Grant:
The License Term is the period in which You are authorized to access and use a Solution as provided on an Order Form. If the initial term is not specified in the Order Form, the initial term will be deemed to have a duration of twelve (12) months. Upon expiration of the initial term, the term of the Agreement will automatically renew for additional successive terms of the same duration as the initial term (the “Renewal Term”), unless either Party gives the other Party written notice of non-renewal at least thirty (30) calendar days prior to the beginning of the Renewal Term. Such Renewal Terms will be under the terms and conditions of the initial term, unless Fortra has provided written notice to Client of any amended terms and conditions and/or a pricing increase at least sixty (60) calendar days prior to the beginning of the Renewal Term. In such an event, the amended terms and conditions and/or the pricing increase will apply to the Renewal Term.
Fortra hereby grants to You, during the License Term only, a non-exclusive, non-transferable, and non-sublicensable license to access and use the purchased Solution solely for ethical penetration testing and/or red teaming purposes and in accordance with Your End-Use statement. You shall ensure that only one individual Authorized User uses the licensed Solution for each purchased license key. An “Authorized User” is an individual employee of Client that may access and use the Solutions, designated as such by way of the Order Form. If the Parties have explicitly agreed such by way of the Order Form, this may also concern individual employees of specified affiliate companies of Client and/or self-employed individual contractors engaged by Client, acting in the course of their profession or business. No other individual end-users of Client are licensed to use the Solution.
Solution Updates:
Fortra grants You the right to use Solution updates as they are made generally available to Fortra’s customers during the License Term. Fortra shall decide the frequency and content of the Solution updates, if any. You are encouraged to install all updates and utilize them to maximize the effectiveness of the Solution. You shall not distribute any information regarding the updates, or any related derivative works to any third parties, including but not limited to, anti-virus vendors or to organizations that collect samples for anti-virus vendors.
Support:
Fortra offers email (or other mutually agreed methods of electronic support) support for the Solutions during the License Term only. Fortra shall not be obligated to support third-party products or dependencies used by or with the Solutions, including products or dependencies from the Metasploit® Framework or Java frameworks.
Restrictions on Transfer:
Without first obtaining the express written consent of Fortra, You may not assign (whether by contract or operation of law)
Your rights and obligations (or delegate Your obligations or duties in any way) under this Agreement, or redistribute, encumber, sell, rent, lease, sublicense, or otherwise transfer Your license rights to the Solutions.
Restrictions on Use:
You may not decompile, “reverse-engineer”, disassemble, or otherwise attempt to derive the source code for the Solutions, or modify or attempt to modify the Solutions in any way unless expressly authorized in writing by Fortra. The Solutions shall not be used in Your marketing or press or online materials without express written consent from Fortra. Care must be taken to minimize the proliferation of Solution binaries, files, license codes, or other protected information to non-authorized parties and users. Fortra reserves the right, in its sole discretion, to decline the provision of service and/or to immediately suspend or terminate Your access to, or delivery of, the Solutions (in whole, or in part, including by way of example, an individual Account) (i) to any Client or Authorized User who is (or is believed to be) in violation of this Agreement; (ii) to any Client or Authorized User who poses a threat to the security of Fortra or the operation of the Solutions; (iii) to any Client or Authorized User who exposes Fortra to potential damages; (iv) to any Client or Authorized User who uses a Solution for product sales, marketing, product research and development, or product quality assurance purposes, or (v) if Client fails to make full payment for the Solutions as provided herein.
Restrictions on Alteration:
You may not modify the Solutions or create any derivative work of the Solutions or its accompanying documentation unless expressly authorized in writing by Fortra. Derivative works include but are not limited to translations. You may not alter any files or libraries in any portion of the Solution.
Authorized Users:
Authorized Users must be specified in the Order Form or on the End-Use Statement. Client must notify Fortra if Authorized Users are no longer employed or engaged by Client or if the Authorized User moves to a different role within the Client company. Such notification will be considered as an immediate amendment of the Order Form, resulting in removal of the (former) Authorized User in question. Any additions to or replacements in the list of Authorized Users or the capacity for Authorized Users included in the license for the Solutions contained in the Order Form can only occur with the written approval of Fortra – upon which it will be considered an immediate amendment of the Order Form. Client is not entitled to a refund in the event it does not fully make use of the permitted capacity for Authorized Users, or if it doesn’t replace a removed Authorized User.
Disclaimer of Warranties:
THE SOLUTIONS ARE PROVIDED "AS IS" AND UNLESS OTHERWISE EXPLICITLY AGREED TO IN WRITING BY FORTRA, FORTRA MAKES NO OTHER WARRANTIES, EXPRESS OR IMPLIED, IN FACT OR IN LAW, INCLUDING, BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OTHER THAN AS SET FORTH IN THIS AGREEMENT.
YOU WARRANT THAT THE SOLUTIONS WILL BE USED BY AN EXTREMELY TECHNICAL AND SKILLED USER AND MUST BE USED IN A SAFE AND ETHICAL MANNER. FORTRA MAKES NO WARRANTY THAT THE SOLUTIONS WILL MEET YOUR NEEDS OR OPERATE UNDER YOUR SPECIFIC CONDITIONS OF USE. FORTRA MAKE NO WARRANTY THAT OPERATION OF THE SOLUTIONS WILL BE SECURE, ERROR FREE, OR FREE FROM INTERRUPTION. YOU BEAR SOLE RESPONSIBILITY AND ALL LIABILITY FOR ANY LOSS INCURRED DUE TO FAILURE OF THE SOLUTION TO MEET YOUR REQUIREMENTS.
FORTRA WILL NOT, UNDER ANY CIRCUMSTANCES, BE RESPONSIBLE OR LIABLE FOR THE LOSS OF DATA ON ANY COMPUTER OR INFORMATION STORAGE DEVICE. UNDER NO CIRCUMSTANCES SHALL FORTRA, ITS DIRECTORS, OFFICERS, EMPLOYEES OR AGENTS BE LIABLE TO YOU OR ANY OTHER PARTY FOR INDIRECT, CONSEQUENTIAL, SPECIAL, INCIDENTAL, PUNITIVE, OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING LOST REVENUES OR PROFITS OR LOSS OF BUSINESS) RESULTING FROM THIS AGREEMENT, OR FROM THE FURNISHING, PERFORMANCE, INSTALLATION, ACCESS, OR USE OF THE SOLUTIONS, WHETHER DUE TO A BREACH OF CONTRACT, BREACH OF WARRANTY, OR TORT (INCLUDING NEGLIGENCE) OF FORTRA, EVEN IF FORTRA IS ADVISED BEFOREHAND OF THE
POSSIBILITY OF SUCH DAMAGES, AND ANY DAMAGES RELATING TO THE SOLUTIONS SHALL BE LIMITED TO THE AMOUNT PAID FOR THE PARTICULAR SOLUTION LICENSE. TO THE EXTENT THAT THE APPLICABLE JURISDICTION LIMITS FORTRA’S ABILITY TO DISCLAIM ANY IMPLIED WARRANTIES, THIS DISCLAIMER SHALL BE EFFECTIVE TO THE MAXIMUM EXTENT PERMITTED.
Audit and Cooperation:
During the course of the Agreement, due to the sensitive nature of and strict oversight and laws and regulations applicable to the Solutions provided, Fortra shall have the right to engage an independent third party bound by confidentiality to perform an audit in order to verify Client’s compliance with this Agreement. The costs in connection with the audit will be borne by Fortra, unless the audit concludes that Client did not comply with this Agreement, in which case the costs will be borne by Client.
Client shall ensure that each instance of access or use of a Solution is in strict compliance with the applicable End-Use Statement. Client must follow all reasonable instructions provided by Fortra in relation to Client’s access or use of the Solutions, including, but not limited to any Solution specific documentation, operating manuals, and record keeping requirements. In addition, Client shall provide Fortra all necessary information regarding its access or use of the Solutions as may be required by any regulator or Fortra in order to comply with applicable laws and regulations.
Termination:
This Agreement and the licenses subject to this Agreement shall be forfeited and terminated if You fail to comply with any of the terms of this Agreement or are in breach of this Agreement or in violation of any laws.
Export and Other Laws:
You acknowledge that the export of the Solutions are subject to export or import control and agree that the Solutions will not be exported (or re-exported from a country of installation) directly or indirectly, unless You obtain all necessary licenses from the U.S. Department of Commerce or other agency as required by law (or other applicable authorities such as the Dutch Customs’ Central Import and Export Office (“CDIU”)). In furtherance of the export restriction agreements set forth above, You agree as follows: (a) You represent that You are not under the control of the government of Cuba, Iran, Sudan, North Korea, Syria, or any country to which the United States or the European Union has prohibited export; (b) You will not download or otherwise export or reexport the Solutions or associated documentation, directly or indirectly, to the countries referenced above or to citizens, nationals or residents of those countries; (c) You represent that You are not listed on the United States Department of Treasury lists of Specially Designated Nationals, Specially Designated Terrorists, and Specially Designated Narcotic Traffickers, nor are You listed on the United States Department of Commerce Table of Denial Orders; and (d) You will not allow the Solutions to be used for any purposes prohibited by United States, European or Dutch law, including, without limitation, providing the Solutions to or using the Solutions in services for sanctioned entities. Client expressly acknowledges and agrees that any requirements, provisions, and limitations regarding the export and end-use of (dual-use) Solutions as contained in this Agreement and the applicable regulations shall apply to any Solution documentation and support provided in relation to those Solutions.
You shall at all times in the performance of Your obligations under this Agreement strictly comply with all laws, regulations and orders, and You agree to commit no act which, directly or indirectly, would violate any United States (or other applicable foreign export control laws, including, but not limited to the Netherlands and the European Union) laws, regulations or orders, including, without limitation, tax, export and foreign exchange laws, import controls, and export controls imposed by the U.S. Export Administration Act of 1979 as amended, the United States Foreign Corrupt Practices Act and the European Dual-use Regulation and its national implementation in the Netherlands.
In order for Fortra to be able to provide the Solutions, Client must accurately and completely fill out the End-Use Statement. In the event an export application is required for the provision of the Solutions, Client may be required to have the document ‘legalized’ by the competent authorities in the jurisdiction where Client has its place of business (often the local Chamber of Commerce). Client shall (a) follow all reasonable instructions given by Fortra and provide all necessary cooperation in connection with the export application and the Agreement in a timely and efficient manner and (b) provide all necessary information as may be required by the U.S Department of Commerce, CDIU, and/or Fortra in order to perform required due diligence on Client, Client’s use of the Solutions, and Client’s Authorized Users. If an export application is not approved, Fortra has the right to terminate the Agreement. Fortra and Client may mutually agree to attempt another
export application. Client is responsible for the payment of all export application fees.
Commercial Software:
This section applies to all acquisitions of the Software Product by or for the federal government, or by any prime contractor or subcontractor (at any tier) under any contract, grant, cooperative agreement or other activity with the federal government. The Software Product was developed at private expense and is Commercial Computer Software, as defined in Section 12.212 of the Federal Acquisition Regulation (48 CFR 12.212) and Sections 227.7202-1 and 227.7202-3 of the Defense Federal Acquisition Regulation Supplement (48 CFR 227.7202-1, 227.7202-3).
OUTFLANK SECURITY TOOLING SOLUTION ADDENDUM
This Outflank Security Tooling (“OST”) Solution Addendum and the terms and conditions contained herein apply to the Agreement between Fortra, LLC and Client only if and insofar the Solutions licensed thereunder concern OST.
Access to OST:
In order to access the OST Solution, Client is required to register an account for the OST platform with which the Client’s Authorized Users, after authentication, can manage, access and configure (certain aspects of) the Solution (an “Account”) for each Authorized User. Accounts are strictly bound to individual Authorized Users. Client is obliged to use any Accounts made available by Fortra in a careful manner and to keep its login information secure and strictly confidential. Under no circumstance may Accounts be shared with other Authorized Users, employees, or third parties. Fortra has the right to assume that all acts performed following authentication of an Account have been performed under the supervision and with the approval of Client.
Client will, within reasonable time after the grant of the license as specified in the Agreement, be able to register an Account for each of its Authorized Users, during which process each Authorized User will be asked to provide details for a login- and/or authentication method in order to access the OST platform. Client is obliged to use any Accounts made available by Fortra in a careful manner and to keep its login information secure and strictly confidential. Client is obliged to notify Fortra immediately if it suspects abuse of and/or unauthorized access to its Account(s).
Use of OST
Authorized Users may use the OST Solution platform in order to gain access to software tooling, as well as support, know-how and documentation in relation thereto (“Security Tooling”) for the fulfilment of individual, specific and limited purposes (each a “Use-Case”). Client ensures that Authorized Users only use the OST Solution in strict accordance with the Agreement and in particular the End-Use Statement.
Use-by Dates
In order to gain access to Security Tooling for a specific Use-Case, Client must provide the desired parameters and settings for the Security Tooling through the designated fields in the OST platform, as well as:
- a. the codename for the Use-Case for which the Security Tooling is being accessed; and
- b. the date by which the Use-Case will be completed (the “Use-By Date”).
Client will ensure that all Security Tooling provided through the OST platform is each time, insofar as possible, completely and irreversibly deleted on or before the Use-By Date.
In the event a Use-Case was not completed before the Use-By Date, Client may repeat the procedure described under the section titled ‘Use of OST’ above, in order to regain access to the Security Tooling to complete the Use-Case. In doing so, Client must use and provide the same codename for the Use-Case as originally submitted.
Reporting
For the duration of the Agreement and a period of three (3) years after the termination or expiration thereof, Client will maintain a complete and accurate administration with regard to each of its Authorized Users’ use of the OST Solution, the OST platform and the Security Tooling, as well as its compliance with the terms and conditions of the Agreement. At the minimum, Client will at all times maintain complete, accurate and properly dated records (“Records”) of:
- (a) all Use-Cases (or codenames thereof), whether completed or ongoing;
- (b) each Authorized User who accessed Security Tooling for each specific Use-Case;
- (c) Use-By Dates relating to each Use-Case;
- (d) deletions performed in accordance with the section titled ‘Use-By Dates’ above;
- (e) the reasons why and extent to which deletions in accordance with the section titled ‘Use-By Dates’ above could not be performed, in as much detail as reasonably possible (for example because (a remnant of) the Security Tooling remains present on systems and devices the Client cannot gain access to).
Once every twelve (12) months, as well as any time upon first request by Fortra, Client will provide Fortra with a complete and accurate report of its Records as specified above.
Internal Administration
In addition to the Records, Client will, for the duration of the Agreement and a period of three (3) years after the termination or expiration thereof, internally maintain a complete and accurate administration that sufficiently ties the information contained in the Records (such as Use-Case codenames) to specific and identifiable customers of Client and/or projects and purposes the OST Solution was used for within Client’s own organization. Without prejudice to the section titled ‘Log Confirmation’ below, the internal administration specified in this current section is not intended to be shared with Fortra.
Log Confirmation
Fortra may periodically provide Client with logs regarding instances of access gained to the Security Tooling for Use-Cases by Client’s Authorized Users. Fortra may do so a maximum of four (4) times per year, unless it has reasonable suspicions regarding possible use of the Security Tooling in contravention of the Agreement or the applicable laws and regulations, in which case it may immediately provide Client with said logs.
In the event Fortra provides Clients with logs as meant in the preceding paragraph, Client will as soon as reasonably possible but no later than three (3) weeks after receipt of the logs, in writing to Fortra:
- (a) confirm whether Fortra’s provided logs (regarding Use-Cases, access by Authorized Users, Use-By Dates and deletions) are in line with the information recorded by Client as meant under the section titled ‘Reporting’ above; and
- (b) notify Fortra of any (suspected) suspicious activity or inaccuracies relating to the Security Tooling, the information recorded by Client as meant under in the sections above and/or the logs provided by Fortra, that falls outside the scope of (a).
Upon provision of the logs by Fortra as meant in this current section, Fortra may indicate that it suspects a high risk the Security Tooling may have been used (or will be used) in contravention of the Agreement, or the violation of export laws or human rights, in which case it will clearly label its provided logs as “Urgent”. In such an event, Client will provide its confirmations and notifications as meant in this current section as soon as possible.
Availability and Maintenance
Fortra will use reasonable endeavors to realize the uninterrupted availability of the OST Solution but offers no guarantees in this regard. Fortra also makes no promises or guarantees as to security, availability and integrity of data transfers while making use of the OST platform, unless it explicitly states otherwise.
Fortra may regularly carry out maintenance, updates, adjustments or improvements of its OST Solution and/or the related systems, networks or parts thereof which could lead to unavailability of the OST Solution. Should scheduled maintenance, adjustments or improvements require a reduced or total unavailability of the Services, then Fortra will endeavor to notify Client in advance. However, Fortra is in no case liable to compensate any damage arising in connection with such maintenance. If Fortra considers that there is a danger to the functioning of its systems, network or the OST Solution, Fortra will have the right to implement all measures it considers reasonably necessary to avert or prevent this danger. Since the OST Solution is provided over the public internet, Client is itself responsible for acquiring appropriate internet access and applying the appropriate security measures. Fortra accepts no liability in this regard.
Support
Fortra will, via a helpdesk, provide a reasonable level of remote support with regard to the OST Solution during 9:00 to 18:00 CEST on Monday to Friday, with the exception of national Dutch holidays and other days of which Fortra has indicated in advance that the helpdesk will be closed. Fortra may provide documentation relating to the OST Solution, intended for troubleshooting and general usage support. Fortra may assume that Client and its Authorized Users will first consult such documentation before contacting the helpdesk. Fortra may refer Client and its Authorized Users back to the documentation if it is of the opinion that the question or request can be solved by means thereof.
Fortra will apply all commercially reasonable efforts to respond to any question or request submitted through the helpdesk as quickly as possible but cannot give any guarantees in this respect. The time required for the processing of support requests depends on the nature and complexity of the matter at hand.