Responsible Disclosure

Scope:

  • Vulnerabilities found in the core application: app.cloverleaf.me are eligible.
  • Only unknown/unreported findings are in scope.
    • Duplicate reports are not in scope.
  • Only findings that are reviewed and approved to fix are in scope. 
    • Findings with low risk that will be an accepted risk and not actionable are not in scope.
  • OWASP/Free Web Based Scan findings are not in scope.

Eligibility:

Any legal adult, excluding members of Cloverleaf or their family/friends.

Rules of Engagement:

    1. No Denial of Service testing.
    2. No Physical or Social Engineering.
    3. No testing of Third-party Services.
    4. No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube).
    5. All attack payload data must use professional language.
    6. If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
    7. When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn’t identify the client.

Reporting Process:

Contact responsible_disclosure@cloverleaf.me with subject of “Responsible Disclosure Program” and include the following:

    1. Description: Description of the Common Weakness Enumeration (CWE) related to the vulnerability.
    2. Vulnerability discovery: A description of the process of how you discovered the vulnerability.
    3. Proof of Concept (PoC): The PoC essentially serves as evidence that the vulnerability exists.
    4. Exploitation: A demonstration of the steps an attacker could take to exploit the vulnerability.
    5. Impact: Clearly describe the impact of your vulnerability and link it to the Proof of Concept.
    6. Remediation: Provide a technical solution for how the vulnerability might be resolved.
    7. All communication will be done in English.

Response Timeframe:

Cloverleaf will review reports within 5 business days and respond.

Rewards:

Cloverleaf will offer $125 US for any newly discovered vulnerability. If multiple reports are filed for the same issue, the email timestamps will be used to award the first report received. Cloverleaf Supports payment for verified awards via Bank Transfer or PayPal. To be eligible to receive payment you must complete a tax form and not be a resident of a jurisdiction against which the United States has sanctions or trade restrictions.

The Responsible Disclosure participant is responsible for any recipient-side fees charged by their chosen method of payment.

Non-Disclosure Agreement (NDA):

An NDA will be required to sign to be eligible to receive payment.

Code of Conduct:

Be kind and respectful and Cloverleaf will do the same.

Program Changes:

Cloverleaf maintains the right to modify the responsible disclosure program rules, scope, or rewards at any time by updating this policy.

Contact Information:

Any questions can be directed to the responsible_disclosure@cloverleaf.me email address with subject “Responsible Disclosure Program”