Bug Bounty
Get CPOOL or USDC for finding security bugs
Clearpool operates an ongoing Bug Bounty Program to identify and address potential security vulnerabilities. The program invites security researchers and white-hat hackers to responsibly disclose issues that could compromise the safety, integrity, or functionality of the Clearpool protocol.
Rewards
Payouts are based on the severity of the vulnerability (see Vulnerability Ratings below)
Rewards are paid in CPOOL or USDC, with a minimum payout of 500 USDC
Submission
All reports must be submitted via Github. Reports must include:
Detailed steps to reproduce the vulnerability
A proof of concept (PoC) where applicable
An Ethereum-based address (non-exchange wallet) for payment
All rewards are determined by the Clearpool Core Team and may be modified at their discretion.
Vulnerability Ratings
Immediate and severe risk to Clearpool’s protocol, infrastructure, or users. Exploitation could lead to large-scale loss of funds, complete system compromise, or mass data exposure:
arbitrary code/command execution on a server in our production network
arbitrary queries on a production database
access to sensitive production user data or access to internal production systems
Ineligibility
Reports will not be rewarded if they include:
Issues that cannot be reproduced
Vulnerabilities on sites hosted by third parties
Vulnerabilities affecting outdated or unpatched browsers
Vulnerabilities in third party applications
Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix
Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).
Vulnerabilities that require an improbable level of user interaction
Missing security headers without proof of exploitability
Any report without an accompanying proof of concept exploit
The output from automated tools/scanners
Issues without any security impact
Non-security Issues
You can let us know about non-security issues at:
Last updated