1. Vulnerabilities found in the core application: app.cloverleaf.me
    2. Only unknown/unreported findings are in scope.
    3. Only findings that are reviewed and approved to fix are in scope.
    4. Freeware Scan findings are out of scope.


Any legal adult, excluding members of Cloverleaf or their family/friends.

Rules of Engagement:

    1. No Denial of Service testing
    2. No Physical or Social Engineering
    3. No testing of Third-party Services
    4. No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
    5. All attack payload data must use professional language
    6. If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
    7. When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn’t identify the client.

Reporting Process:

Contact bugbounty@cloverleaf.me with subject of “BUG BOUNTY” and include the following:

    1. Description: Description of the Common Weakness Enumeration (CWE) related to the vulnerability.
    2. Vulnerability discovery: A description of the process of how you discovered the vulnerability.
    3. Proof of Concept (PoC): The PoC essentially serves as evidence that the vulnerability exists.
    4. Exploitation: A demonstration of the steps an attacker could take to exploit the vulnerability.
    5. Impact: Clearly describe the impact of your vulnerability and link it to the Proof of Concept.
    6. Remediation: Provide a technical solution for how the vulnerability might be resolved.
    7. All communication will be done in English

Response Timeframe:

Cloverleaf will review reports within 5 business days and respond


Cloverleaf will offer $125 US for any newly discovered vulnerability. If multiple reports are filed for the same issue, the email timestamps will be used to award the first report received. Cloverleaf Supports payment for verified awards via Bank Transfer or PayPal. To be eligible to receive payment you must complete a tax form and not be a resident of a jurisdiction against which the United States has sanctions or trade restrictions.

Non-Disclosure Agreement (NDA):

An NDA will be required to sign to be eligible to receive payment.

Code of Conduct:

Be kind and respectful and Cloverleaf will do the same.

Program Changes:

Cloverleaf maintains the right to modify the bug bounty program rules, scope, or rewards at any time by updating this policy.

Contact Information:

Any questions can be directed to the security@cloverleaf.me email address with subject “BUG BOUNTY”