Bug Bounty Program

Introduction

​​The CAKE.com Bug Bounty Program is a pivotal initiative designed to strengthen the security of CAKE.com’s digital platforms. By incentivizing the discovery and responsible reporting of security vulnerabilities, the program plays a crucial role in maintaining the integrity and trustworthiness of CAKE.com’s services. Participants, including ethical hackers and security researchers, are encouraged to report potential security issues, aligning with the program's guidelines.

This initiative not only underscores the significance of ethical hacking in today's digital landscape but also reinforces CAKE.com’s commitment to safeguarding its user data and services against emerging security threats. The program fosters a collaborative approach to security, leveraging the expertise of the global cybersecurity community to identify and address vulnerabilities proactively.

Each reported security issue goes through internal investigation, and if Prohibited actions are broken, you will not be rewarded.

Rewards

CRITICAL HIGH MEDIUM LOW
$2,500 $1,000 $500 $100
CRITICAL HIGH
$2,500 $1,000

MEDIUM LOW
$500 $100

In Scope Assets

Web application app.clockify.me
Android play.google.com/store/apps/details?id=me.clockify.android
iOS apps.apple.com/us/app/clockify-time-tracker/id1304431926
Chrome Extension chrome.google.com/webstore/detail/clockify-time-tracker/pmjeegjhjdlccodhacdgbgfagbpmccpe
Firefox Extension addons.mozilla.org/en-US/firefox/addon/clockify-time-tracker/
API Endpoint *.api.clockify.me/api/

Out of scope Assets

Help clockify.me/help/*
Blog clockify.me/blog/*
Forum forum.clockify.me/
Bug Bounty Page security.cake.com
Subdomains *.clockify.me
*.cake.com
* Other landing pages not related to the Clockify application

Rules for reporting

  • Report a qualifying vulnerability that is in the scope of our program (below).
  • Be the first person to report the vulnerability.
  • Public disclosure of reported vulnerabilities. Disclosing a vulnerability, directly or indirectly (i.e. posting it in public video streams, listed or not), will render the associated report ineligible for bounty.All resources (PoC files, videos, etc.) required to reproduce an issue, must not go outside the possession of the researcher, clockify & cake.com team.
  • Report security issues exclusively via the form which is monitored by our security team.

In Scope Vulnerabilities

  • Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • Database Injections
  • Server-side Remote Code Execution (RCE)
  • XML External Entity Attacks (XXE)
  • Access Control Issues
  • Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
  • Exposed Administrative Panels that don't require login credentials
  • Anything not listed but important

Out of scope vulnerabilities

  • Vulnerabilities requiring physical access to the victim's unlocked device
  • Denial of Service attacks
  • Brute Force attacks
  • Spam or Social Engineering techniques
  • Content Spoofing
  • Best practices concerns
  • Issues relating to Password Policy
  • Issues relating to token lifetime
  • User enumeration
  • Full-Path Disclosure on any property
  • CSRF-able actions that do not require authentication (or a session) to exploit
  • Version number information disclosure
  • Reports related to missing security headers
  • CSV Injection
  • Reverse Tabnabbing
  • Race condition
  • Rate limit
  • Bugs that do not represent any security risk
  • Security bugs in third-party applications or services built on the Clockify API
  • Vulnerabilities that are limited to unsupported browsers
  • Improper session invalidation
  • Use of a known-vulnerable library (without evidence of exploitability)
  • Vulnerabilities on Third Party Products
  • Not enforcing certificate pinning
  • Pre-Account Takeover

Prohibited Actions

  • Do not initiate any unauthorized financial transactions
  • Do not conduct social engineering attacks (e.g. phishing, vishing, smishing) against Clockify employees, partners, or customers.
  • Using automated scanning tools to scan assets
  • Spam-like or other high volume activity
  • Mass creation of users, groups, and projects
  • Creation and maintenance of a persistent connection to the server
  • Interruption of normal operations (e.g. triggering a reboot)
  • Deletion of any files or data
  • Modification of any files or data, including permissions
  • files that allow arbitrary commands (i.e. a webshell)

Payouts

We determine bounty amounts based on a variety of factors, including (but not limited to) Impact, classification and sensitivity of the data, ease of exploitation and overall risk to Clockify.

The reward for reporting a bug will be paid out once the bug has been fixed and successfully retested by the reporter. This ensures that the fix is effective and meets the standards set by our company.