Bug Bounty
Get CPOOL or USDC for finding security bugs
Clearpool operates an ongoing Bug Bounty Program to identify and address potential security vulnerabilities. The program invites security researchers and white-hat hackers to responsibly disclose issues that could compromise the safety, integrity, or functionality of the Clearpool protocol.
Rewards
Payouts are based on the severity of the vulnerability (see Vulnerability Ratings below)
Rewards are paid in CPOOL or USDC, with a minimum payout of 500 USDC
Submission
All reports must be submitted via Github. Reports must include:
Detailed steps to reproduce the vulnerability
A proof of concept (PoC) where applicable
An Ethereum-based address (non-exchange wallet) for payment
All rewards are determined by the Clearpool Core Team and may be modified at their discretion.
Vulnerability Ratings
Immediate and severe risk to Clearpool’s protocol, infrastructure, or users. Exploitation could lead to large-scale loss of funds, complete system compromise, or mass data exposure:
arbitrary code/command execution on a server in our production network
arbitrary queries on a production database
access to sensitive production user data or access to internal production systems
Serious vulnerabilities that allow an attacker to read or modify highly sensitive data that they are not authorized to access:
XSS which bypasses CSP
discovering sensitive user data in a publicly exposed resource
gaining access to a non-critical, system to which an end user account should not have access
Issues that could expose restricted information, cause partial loss of funds, or lead to privilege escalation under certain conditions. Generally lower scope or harder to exploit than High:
disclosing non-sensitive information from a production system to which the user should not have access
XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
CSRF for low risk actions
Minor security flaws with minimal potential impact. Exploitation is unlikely to cause financial loss or data compromise, but may violate expected behavior:
Information disclosure from verbose error messages without proof of exploitability
Minor UI or client-side validation bypasses with no backend impact
Ability to trigger low-impact operational behaviors not intended for public access
Ineligibility
Reports will not be rewarded if they include:
Issues that cannot be reproduced
Vulnerabilities on sites hosted by third parties
Vulnerabilities affecting outdated or unpatched browsers
Vulnerabilities in third party applications
Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix
Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).
Vulnerabilities that require an improbable level of user interaction
Missing security headers without proof of exploitability
Any report without an accompanying proof of concept exploit
The output from automated tools/scanners
Issues without any security impact
Non-security Issues
You can let us know about non-security issues at:
Last updated