# Bug Bounty

Clearpool operates an ongoing Bug Bounty Program to identify and address potential security vulnerabilities. The program invites security researchers and white-hat hackers to responsibly disclose issues that could compromise the safety, integrity, or functionality of the Clearpool protocol.

### Rewards

* Payouts are based on the severity of the vulnerability (see **Vulnerability Ratings** below)
* Rewards are paid in CPOOL or USDC, with a **minimum payout of 500 USDC**

### **Submission**

All reports must be submitted via [Github](https://github.com/orgs/clearpool-finance/discussions/categories/bug-reports). Reports must include:

* Detailed steps to reproduce the vulnerability
* A proof of concept (PoC) where applicable
* An Ethereum-based address (non-exchange wallet) for payment

All rewards are determined by the Clearpool Core Team and may be modified at their discretion.

### Vulnerability Ratings

{% tabs %}
{% tab title="Critical" %}
**Immediate and severe risk** to Clearpool’s protocol, infrastructure, or users. Exploitation could lead to large-scale loss of funds, complete system compromise, or mass data exposure:

* arbitrary code/command execution on a server in our production network
* arbitrary queries on a production database
* access to sensitive production user data or access to internal production systems
  {% endtab %}

{% tab title="High" %}
Serious vulnerabilities that allow an attacker to read or modify highly sensitive data that they are not authorized to access:

* XSS which bypasses CSP
* discovering sensitive user data in a publicly exposed resource
* gaining access to a non-critical, system to which an end user account should not have access
  {% endtab %}

{% tab title="Medium" %}
Issues that could expose restricted information, cause partial loss of funds, or lead to privilege escalation under certain conditions. Generally lower scope or harder to exploit than High:

* disclosing non-sensitive information from a production system to which the user should not have access
* XSS that does not bypass CSP or does not execute sensitive actions in another user’s session
* CSRF for low risk actions
  {% endtab %}

{% tab title="Low" %}
Minor security flaws with minimal potential impact. Exploitation is unlikely to cause financial loss or data compromise, but may violate expected behavior:

* Information disclosure from verbose error messages without proof of exploitability
* Minor UI or client-side validation bypasses with no backend impact
* Ability to trigger low-impact operational behaviors not intended for public access
  {% endtab %}
  {% endtabs %}

### Ineligibility

Reports will not be rewarded if they include:

* Issues that cannot be reproduced
* Vulnerabilities on sites hosted by third parties
* Vulnerabilities affecting outdated or unpatched browsers
* Vulnerabilities in third party applications
* Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix
* Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).
* Vulnerabilities that require an improbable level of user interaction
* Missing security headers without proof of exploitability
* Any report without an accompanying proof of concept exploit
* The output from automated tools/scanners
* Issues without any security impact

### Non-security Issues

You can let us know about non-security issues at:

[Github Discussions](https://github.com/orgs/clearpool-finance/discussions) or [Clearpool Feedback](https://clearpool.finance/feedback)