Bug Bounty

Get CPOOL or USDC for finding security bugs

Clearpool operates an ongoing Bug Bounty Program to identify and address potential security vulnerabilities. The program invites security researchers and white-hat hackers to responsibly disclose issues that could compromise the safety, integrity, or functionality of the Clearpool protocol.

Rewards

  • Payouts are based on the severity of the vulnerability (see Vulnerability Ratings below)

  • Rewards are paid in CPOOL or USDC, with a minimum payout of 500 USDC

Submission

All reports must be submitted via Github. Reports must include:

  • Detailed steps to reproduce the vulnerability

  • A proof of concept (PoC) where applicable

  • An Ethereum-based address (non-exchange wallet) for payment

All rewards are determined by the Clearpool Core Team and may be modified at their discretion.

Vulnerability Ratings

Immediate and severe risk to Clearpool’s protocol, infrastructure, or users. Exploitation could lead to large-scale loss of funds, complete system compromise, or mass data exposure:

  • arbitrary code/command execution on a server in our production network

  • arbitrary queries on a production database

  • access to sensitive production user data or access to internal production systems

Ineligibility

Reports will not be rewarded if they include:

  • Issues that cannot be reproduced

  • Vulnerabilities on sites hosted by third parties

  • Vulnerabilities affecting outdated or unpatched browsers

  • Vulnerabilities in third party applications

  • Vulnerabilities that have been released publicly prior to Clearpool issuing a comprehensive fix

  • Vulnerabilities already known to us, or already reported by someone else (reward goes to first reporter).

  • Vulnerabilities that require an improbable level of user interaction

  • Missing security headers without proof of exploitability

  • Any report without an accompanying proof of concept exploit

  • The output from automated tools/scanners

  • Issues without any security impact

Non-security Issues

You can let us know about non-security issues at:

Github Discussions or Clearpool Feedback

Last updated