Get CPOOL or USDC for finding security bugs
At Clearpool we aim to maintain the highest level of cyber security, so the users of our protocol can enjoy a quality and worry free experience. To maintain this high quality, Clearpool has established an ongoing Bug Bounty Program. The Bug Bounty program is designed to encourage and reward those who discover and timely report any potential hacking angles, which can jeopardize security or user experience. For any special one-time bug bounty campaigns we run, please stay up-to-date by following us on Telegram, Twitter or Medium. Otherwise, we invite any whitehat hackers and cybersecurity specialists to participate in this ongoing program.
All bounty submissions will be rated by the Clearpool Core Team and via Governance in the near future. The rewards payouts are based on vulnerability ratings (see below). All payouts will proceed in USDC or CPOOL tokens (subject to change).
- All bug reports must be submitted to https://github.com/orgs/clearpool-finance/discussions/categories/bug-reports.
- Asking for payment in exchange for vulnerability details will result in immediate ineligibility of bounty payments.
- If we cannot reproduce your findings, your report will not be eligible for payout. We ask you to provide as detailed a report as possible with all steps necessary to reproduce your findings.
- Include your Ethereum based address for payment. Please make sure your address is not a centralized exchange wallet. Payment minimums are defined below.
- All payments may be modified at Clearpool’s discretion.
- The minimum payout is equivalent to 500 USDC.
The following properties are in scope for bug bounty rewards
Critical severity issues present a direct and immediate risk to a broad array of our users or to Clearpool itself. They often affect relatively low-level /foundational components in one of our application stacks or infrastructure. For example:
- arbitrary code/command execution on a server in our production network
- arbitrary queries on a production database
- access to sensitive production user data or access to internal production systems
High severity issues allow an attacker to read or modify highly sensitive data that they are not authorized to access. They are generally more narrow in scope than critical issues, though they may still grant an attacker extensive access. For example:
- XSS which bypasses CSP
- discovering sensitive user data in a publicly exposed resource
- gaining access to a non-critical, system to which an end user account should not have access
Medium severity issues allow an attacker to read or modify limited amounts of data that they are not authorized to access. They generally grant access to less sensitive information than high severity issues. For example:
- disclosing non-sensitive information from a production system to which the user should not have access
- XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
- CSRF for low risk actions
Low severity issues allow an attacker to access extremely limited amounts of data. They may violate an expectation for how something is intended to work, but it allows nearly no escalation of privilege or ability to trigger unintended behavior by an attacker. For example:
- Triggering verbose or debug error pages without proof of exploitability or obtaining sensitive information.
Reports in which we are not interested include:
- Vulnerabilities on sites hosted by third parties
- Vulnerabilities affecting outdated or unpatched browsers.
- Vulnerabilities in third party applications
- Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix.
- Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter). Issues that aren't reproducible.
- Vulnerabilities that require an improbable level of user interaction.
- Missing security headers without proof of exploitability.
- Any report without an accompanying proof of concept exploit.
- The output from automated tools/scanners.
- Issues without any security impact.
You can let us know about non-security issues at https://github.com/orgs/clearpool-finance/discussions or at https://clearpool.finance/feedback.