# Bug Bounty Clearpool operates an ongoing Bug Bounty Program to identify and address potential security vulnerabilities. The program invites security researchers and white-hat hackers to responsibly disclose issues that could compromise the safety, integrity, or functionality of the Clearpool protocol. ### Rewards * Payouts are based on the severity of the vulnerability (see **Vulnerability Ratings** below) * Rewards are paid in CPOOL or USDC, with a **minimum payout of 500 USDC** ### **Submission** All reports must be submitted via [Github](https://github.com/orgs/clearpool-finance/discussions/categories/bug-reports). Reports must include: * Detailed steps to reproduce the vulnerability * A proof of concept (PoC) where applicable * An Ethereum-based address (non-exchange wallet) for payment All rewards are determined by the Clearpool Core Team and may be modified at their discretion. ### Vulnerability Ratings {% tabs %} {% tab title="Critical" %} **Immediate and severe risk** to Clearpool’s protocol, infrastructure, or users. Exploitation could lead to large-scale loss of funds, complete system compromise, or mass data exposure: * arbitrary code/command execution on a server in our production network * arbitrary queries on a production database * access to sensitive production user data or access to internal production systems {% endtab %} {% tab title="High" %} Serious vulnerabilities that allow an attacker to read or modify highly sensitive data that they are not authorized to access: * XSS which bypasses CSP * discovering sensitive user data in a publicly exposed resource * gaining access to a non-critical, system to which an end user account should not have access {% endtab %} {% tab title="Medium" %} Issues that could expose restricted information, cause partial loss of funds, or lead to privilege escalation under certain conditions. Generally lower scope or harder to exploit than High: * disclosing non-sensitive information from a production system to which the user should not have access * XSS that does not bypass CSP or does not execute sensitive actions in another user’s session * CSRF for low risk actions {% endtab %} {% tab title="Low" %} Minor security flaws with minimal potential impact. Exploitation is unlikely to cause financial loss or data compromise, but may violate expected behavior: * Information disclosure from verbose error messages without proof of exploitability * Minor UI or client-side validation bypasses with no backend impact * Ability to trigger low-impact operational behaviors not intended for public access {% endtab %} {% endtabs %} ### Ineligibility Reports will not be rewarded if they include: * Issues that cannot be reproduced * Vulnerabilities on sites hosted by third parties * Vulnerabilities affecting outdated or unpatched browsers * Vulnerabilities in third party applications * Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix * Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). * Vulnerabilities that require an improbable level of user interaction * Missing security headers without proof of exploitability * Any report without an accompanying proof of concept exploit * The output from automated tools/scanners * Issues without any security impact ### Non-security Issues You can let us know about non-security issues at: [Github Discussions](https://github.com/orgs/clearpool-finance/discussions) or [Clearpool Feedback](https://clearpool.finance/feedback) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.clearpool.finance/clearpool/security/bug-bounty.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.