1. Introduction and Scope

1.1. Introduction

These Security Review Terms of Service ("Security Terms") govern all security reviews, assessments, and evaluations of PC APP STORE services. These Security Terms are part of the Master Terms of Service Agreement ("Master Agreement") and incorporate all applicable provisions from the Master Agreement.

1.2. Binding Agreement

BY INITIATING ANY SECURITY REVIEW OF PC APP STORE, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY ALL OF THE FOLLOWING TERMS.

IMPORTANT: By initiating any security review of the Services, you ("Reviewer") expressly agree to comply fully with all terms and conditions set forth in these Security Terms. If you cannot or will not adhere to these terms, you must refrain from conducting any security review and remove our Product from your systems.

1.3. Definitions

In these Security Terms, the following security-specific words and phrases shall have the meanings set forth below:

• "Flag", "Detection", or "Classification" refers to any marking, notification, alert, label, naming convention, coding, publication, or any other designation that might convey or imply to end users or the public that an issue, security risk, or negative condition exists in or about the Services
• "LRSE" means a Legitimate and Recognized Security Entity possessing proprietary technology, direct expertise and demonstrated capability to produce a Substantiated Detection
• "Substantiated Detection" means a Flag supported by a Supporting Evidence Package as detailed in Section 6.3
• "Reviewer" refers to any individual or entity conducting a security review of the Services
• "Supporting Evidence Package" refers to the detailed security report format described in Section 6.3
• "Triggering Event" means the public distribution of a Flag without adhering to this agreement
• "Remediation Period" means the period starting with the initial detection of a security issue and extending for a minimum of 90 days following the provision of all required information about the issue

2. Purpose and Legitimate Interests

2.1. Purpose

This Policy ensures that every external assessment of PC APP STORE is technically accurate, reproducible and responsibly disclosed, thereby protecting end-users from genuine threats while safeguarding the Company's commercial reputation and contractual pipeline.

3. Legitimate and Recognized Security Entity ("LRSE")

3.1. Authorized Organizations

Only Legitimate and Recognized Security Entities—defined as those possessing proprietary technology, direct technical expertise, and established capabilities for thorough security reviews—are authorized to conduct assessments of the Services.

3.2.Exclusion of Inadequate Capabilities

Any entity or individual primarily relying on superficial scanning tools, heuristic-based third-party systems, or methods that cannot substantiate findings down to the source-code level is not considered a Legitimate and Recognized Security Entity. Such entities are expressly prohibited from conducting, disclosing, or publicly reporting on any security assessment of the Services.

3.3. Mandatory Compliance for All Entities

If you or your organization lack the requisite capability or expertise to conduct a comprehensive code-level review as a Legitimate and Recognized Security Entity, you are still fully bound by these Security Terms and must:

This requirement is not optional or alternative to compliance with the other provisions of these Security Terms—it is an additional mandatory obligation for entities lacking sufficient expertise.

4. Permissible and Valid Security Activities

Legitimate and Recognized Security Entities may perform only the following assessments, provided such activities are conducted responsibly and do not disrupt, degrade, or otherwise harm the Services' operations or availability:

4.1. Vulnerability Assessments

Identification of potential security flaws—such as buffer overflows, SQL injections, cross-site scripting (XSS), cross-site request forgery (CSRF), remote code execution (RCE), directory traversal, insecure direct object references (IDOR), authentication/authorization weaknesses, and configuration errors—carried out without disruption to the Services.

4.2. Zero-Day Vulnerabilities

Discovery and responsible disclosure of previously unknown vulnerabilities for which no patch exists, adhering to confidential and timely reporting obligations (see Section 6).

4.3. Supply Chain Security Assessments

Evaluation of the Services' dependencies, build processes, or third-party components to identify malicious code injections, dependency confusion risks, or other supply-chain–related vulnerabilities.

4.4. Code Reviews and Secure Development Practices

Analysis of the Services' source code for insecure coding patterns, logic flaws, unsafe use of libraries/frameworks, or unintended exposure of sensitive information (e.g., credentials), focusing exclusively on legitimate security issues.

4.5. Infrastructure and Configuration Security Reviews

Assessment of the Services' cloud configurations, API security, credential management, privilege settings, file permissions, TLS/SSL implementations, and similar infrastructure-related security measures, provided such assessments do not compromise the Services' performance or availability.

4.6. Identity and Access Management (IAM) Assessments

Identification of vulnerabilities in the Services' privilege escalation, incorrect permission assignments, weak authentication, or lack of adequate security controls (such as MFA), executed without negatively impacting the service or user experience.

4.7. Penetration Testing

Simulated attack scenarios (including social engineering and internal/external network security tests) on the Services performed responsibly to avoid any substantial service interruption or data compromise.

5. Prohibited and Invalid Activities

Any activity outside the scope described in Section 4 or violating the conditions of these Security Terms is strictly prohibited and considered Invalid. Prohibited activities include, but are not limited to:

5.1. Unauthorized Scope

Conducting or reporting on any review, scan, or test beyond what is explicitly permitted under Section 4.

5.2. Partial or Superficial Reviews

Using pattern-based, probabilistic, or heuristic-only checks (e.g., antivirus heuristics, generic scans, or incomplete data) without comprehensive code-level analysis.

5.3. Commercial Self-Promotion

Using the Services' findings, real or alleged, to market, advertise, or promote your own security products or services.

5.4. Non-Security Criteria Assessments

Issuing any Flag based on subjective or extraneous factors such as EULA terms, user interface preferences, commercial or business models, pricing, partnerships, or marketing strategies. Only objective, security-related criteria may be used to justify a Flag regarding the Services.

5.5. Nonobjective Criteria

Applying criteria to the Services that you do not uniformly apply to other products under similar review. Any selective or biased evaluation standard is strictly prohibited.

5.6. Monetization or Exploitation of Findings

Leveraging discovered issues or reports for SEO, advertising, self-publication, or any form of publicity, including but not limited to social media posts, press releases, or promotional campaigns.

6. Disclosure Requirements

6.1. Timeliness of Disclosure

Failure to promptly disclose vulnerabilities or deliberately withholding critical security details can endanger our end users and may constitute criminal conduct under applicable law.

6.2. Mandatory 12-Hour Notification

Any detections, discovered vulnerabilities, or security issues must be reported to support@pcappstore.com no later than 12 hours after initial discovery.

6.3. Report Format and Content

Disclosures must provide a "Supporting Evidence Package" in alignment with ISO/IEC 29147 (or equivalent industry best practices) and must include the following details to be deemed valid:

• Reporter's full name, position, company, email address, and phone number
• The exact source from which the Services/file was obtained
• Product name, file name, and version under review
• Detailed description of the testing environment (OS, network architecture, etc.)
• Security tools or methodologies used (names and versions)
• Exact reproduction steps or exploit proof-of-concept
• Objective justification for classifying the vulnerability as a security issue
• References to relevant standards, specifications, and/or objective criteria

6.4. Incomplete or Non-Compliant Reports

Any report lacking the details above is deemed incomplete and will be considered void until the missing information is fully provided.

7. Remediation

7.1. Valid Remediation

Before the Remediation Period commences, both Reviewer and Fast Corporation Ltd. must mutually agree that the reported issue constitutes a legitimate and valid security vulnerability, and not one that is invalid (see Section 5).

7.2. Remediation Period Commencement

The Remediation Period begins immediately upon your initial detection of a purported security issue—regardless of whether the issue is ultimately deemed valid or invalid.

7.3. Cooperation and Assistance

You are required to provide all additional details, clarifications, and retesting support necessary for us to address the issue effectively.

7.4. Minimum Remediation Timeline

The minimum Remediation Period is 90 days, commencing after you have actively cooperated by providing all required information. We reserve the right to extend the period if the issue proves complex or necessitates third-party coordination.

7.5. Prohibition on Flagging Post-Remediation

Upon successful remediation of any valid issue, you shall not Flag or classify the Services for that issue or any derivative thereof.

8. Non-Disclosure

8.1. Confidentiality Obligation

You agree to maintain strict confidentiality regarding any discovered vulnerability or security issue for the entire duration of the Remediation Period.

8.2. No Public Disclosure

During the Remediation Period, you must not publicly disclose, discuss, or disseminate any details of the issue, including but not limited to posting on forums, social media, or security mailing lists.

9. Universal Applicability

9.1. Superseding Prior Agreements

This Policy overrides any prior agreements, contracts, or understandings relating to security reviews of the Services.

9.2. Method of Acquisition Irrelevant

These terms apply in all cases, including but not limited to when the Services are obtained via direct download, third-party distribution, client materials, automated scanning tools, AI systems, machine-learning models, or any other channel. You remain bound by these obligations regardless of how or when you acquired or analyzed the Services. Any attempt to circumvent these obligations by indirect means is void.

9.3. Continuous Liability

You remain bound by these obligations regardless of how or when you acquired or analyzed the Services. Any attempt to circumvent these obligations by indirect means is void.

9.4. Removal if Non-Compliance

If you are unable or unwilling to comply fully with these terms, you must immediately remove all instances of the Services, related materials, and any derivatives from your environment and ensure your platforms do not collect, scan, or review the Services in the future.

10. Liquidated Damages and Indemnity

10.1. Initial Damages

For any Triggering Event—defined as the public distribution of a Flag without adhering to this agreement—Reviewer shall immediately pay initial damages of £250,000 for incident response costs.

10.2. Ongoing Damages

Reviewer shall pay ongoing monthly damages calculated as (£3 GBP × N) average acquisition cost + (£7 GBP × N) minimum lifetime profit value, where N equals unique endpoints that received the Flag. This ongoing monthly damage payment continues until Reviewer retracts the Flag from all public distribution.

10.3. Acknowledgment of Costs

Parties acknowledge that the damages calculated above represent direct and documented costs incurred by Fast Corporation Ltd.

10.4. Calculation Acceptance

Reviewer accepts Fast Corporation Ltd.'s calculations regarding the number of affected endpoints (N) as final and binding.

10.5. Limited Liability

If Reviewer retracts the Flag from all public feeds within 48 hours upon Fast Corporation Ltd. notification, liability under this clause is limited to direct, documented expenses.

10.6. Scope of Liability

Liability extends to cover all losses, harms, or damages arising directly or indirectly from the breach, including but not limited to reputational harm, financial losses, and any costs associated with remediation or legal actions.

11. Safe Harbor

Provided Reviewer complies with all requirements in these Security Terms, Fast Corporation Ltd. waives claims under:

• The Computer Misuse Act 1990 in the United Kingdom
• The U.S. Computer Fraud and Abuse Act (CFAA) in the United States
• Sections 296ZA-296ZE of the Copyright, Designs and Patents Act 1988 (circumvention of technological protection measures) in the United Kingdom; or
• DMCA §1201 (anti-circumvention provisions) in the United States for necessary acts performed during permitted tests.

12. Authority and Binding Agreement

12.1. Representation and Warranty of Authority

By conducting any security review of the Services, you represent and warrant that you have the full legal authority to accept these terms, both on your own behalf and on behalf of your employer or principal organization, if applicable.

12.2. Binding Nature

These terms form a legally binding agreement between you and Fast Corporation Ltd. Any unauthorized or noncompliant conduct will be subject to the remedies outlined herein and any other remedies available under law.

13. Relationship to Master Agreement

13.1. Integration with Master Agreement

These Security Terms are incorporated by reference into the Master Terms of Service Agreement ("Master Agreement"). The Master Agreement contains provisions that apply to security reviews, including but not limited to:

• Definitions of key terms
• Term and termination
• Electronic agent authorization and responsibility
• Limitation of liability
• Jurisdiction and dispute resolution
• General legal terms

13.2. Conflicts

In the event of any conflict between these Security Terms and the Master Agreement, the Master Agreement shall prevail.

13.3. Severability

If any provision of these Security Terms is found to be unenforceable, the remaining provisions of both these Security Terms and the Master Agreement shall remain in full force and effect.

13.4. Amendments

Any amendments to these Security Terms shall be made in accordance with the amendment procedures set forth in the Master Agreement.