ClickPost Responsible Disclosure
At ClickPost, we take the security of our data and systems very seriously. We value the contribution and assistance of everyone in helping us secure our systems. If you discover any security vulnerability in our system, we would appreciate your cooperation in disclosing it responsibly.
Guidelines for disclosure
- If a bug is discovered, it must not be publicly disclosed before being fixed by ClickPost.
- ClickPost will not be held responsible for the violation of any guideline, rule, and/or legislation on your end.
- The privacy and data of users must be protected at all times.
- There should be no disruption to our production systems or destruction of data during security testing.
- Do not attempt to perform brute-force attacks or denial-of-service attacks.
- If a security issue is discovered, it must not be exploited for any reason whatsoever.
- A proof-of-concept (PoC) submitted must have all the steps required to reproduce the issue.
- The use of automated tools such as Nmap scan or SSL/TLS scan, etc. is strictly prohibited.
Scope of domains
Vulnerabilities within Scope
- SQL Injection
- Cross-Site Request Forgery(CSRF)
- Cross-Site Scripting (XSS)
- Excluding Self-XSS
- Broken Authentication
- Broken Session flaws
- Remote Code Execution
- Privilege Escalation
- Directory Traversal - Local File Inclusion
- Insecure Direct Object Reference
- Open redirect
- Misuse/Unauthorized use of ClickPost’s APIs
- Leaking customer's sensitive data
- Email Spoofing - SPF Records Misconfiguration
- Server-Side Request Forgery (SSRF)
Vulnerabilities out of scope
- Any issues related to software or application not under ClickPost’s control
- Vulnerabilities that depend upon social engineering techniques
- Any physical attempts made against ClickPost property
- Minor and trivial issues such as version disclosures
- DDOS attacks
- Subdomain Takeover
- CSRF with very limited impact
- Banner Grabbing
- Cookie attributes not set/Secure flag issues
- Reports on outdated browsers
- SSL/TLS controls where other mitigating controls exist
If you adhere to the above rules, we will do the following:
Acknowledge your report and work with you to fix the bug
Notify you once the bug is fixed
- Issue bounty awards for eligible findings*