Common use of Technology Products Clause in Contracts

Technology Products. With respect to Products comprised, either in part or in whole, of software or other technology (“Technology Products”), Supplier further warrants that: It uses industry best practices to ensure, and to the best of Supplier’s knowledge, Technology Products do not contain any virus, worm, Trojan horse, or similar malware or destructive code that may destroy, modify, alter, or cause the destruction, modification or alteration, in whole or in part, of any Flyer’s equipment, devices, software, or data or permit unauthorized access to any of the foregoing, including the Technology Products; Unless expressly agreed otherwise in a signed writing, no hardware or software Technology Products, including operating systems and embedded software, or any component thereof, will contain any (a) “phone-home”, metering, or other feature designed to periodically transmit usage, statistical or other data to Supplier or (b) hardware or software designated as end-of-life (e.g., no longer supported or updated by the manufacturer or licensor) prior to the date of the relevant Purchase Order; Neither Supplier nor any of its agents, contractors, or employees or anyone acting on their behalf, will disable or interfere, in whole or in part, with use of the Technology Product or any software, hardware, systems or data owned, utilized or held by Flyer without Flyer’s prior written consent, whether or not the disablement is in connection with any dispute between the parties or otherwise; It will conduct application security assessment review(s), including penetration tests and code review, to identify common security vulnerabilities as identified by industry-recognized organizations (e.g., OWASP Top 10 Vulnerabilities; CWE/SANS Top 25 vulnerabilities) for all major releases, as determined by Flyer, of the Technology Products, but in any event no less than every twelve (12) months or in the event a new vulnerability is identified by one of the foregoing organizations; and It shall, at its sole expense, either (i) use the third party firm specializing in code reviews identified by Flyer to conduct the foregoing security assessments or (ii) conduct the security assessment review itself, provided that Supplier Personnel performing the review are experienced in conducting reviews of this kind, hold an industry-recognized certification in security assessments for software (e.g., Certified Secure Software Lifecycle Professional (CSSLP) or GIAC Secure Software Programmer certification), follow industry standard best practices for such assessments, and assessment results are promptly shared by Supplier with Flyer’s Procurement Representative for review and approval by Flyer. Supplier shall at its sole expense remediate all vulnerabilities identified and rated as a result of the assessment as medium or higher (or other similar designation) (i) prior to a new version of the Supplier’s Software being introduced to production environments, and (ii) for a version of the Technology Product currently in production within thirty (30) to ninety (90) days based on criticality of the vulnerability identified from the assessment. Supplier also warrants that it shall test all Technology Products, including all embedded third party software, in accordance with best industry practices, but in no event less than on a quarterly basis, for any vulnerability or exposure identified in Mitre’s Common Vulnerabilities and Exposures (“CVE”) located at ▇▇▇▇://▇▇▇.▇▇▇▇▇.▇▇▇ and having a Common Vulnerability Scoring System (“CVSS”) score of 4 or higher (as published by the NIST National Vulnerability Database, located at ▇▇▇▇://▇▇▇.▇▇▇▇.▇▇▇). In the event such a vulnerability with a CVSS score is identified, Supplier shall, at no additional charge to Flyer, promptly remediate the vulnerability. Supplier shall keep complete and accurate records of its testing and remediation activities under this Section in accordance with the obligation to retain records under Section 20.