Bug Bounty Program
Oct 16, 2020
Find security issues in Clockify and get a reward.
POLICY
The following guidelines give you an idea of what we usually pay out for different classes of security issues.
Low-quality issues may be rewarded below these tiers, so please make sure that there is enough information for us to be able to reproduce your issue and step-by-step instructions including how to reproduce your issue. Screenshots are also helpful, but please make sure to not make these public before submitting them to follow our program’s rules.
REWARDS
| Critical | High | Medium | Low |
|---|---|---|---|
| $2,500 | $1,000 | $500 | $100 |
RULES FOR REPORTING
- Report a qualifying vulnerability that is in the scope of our program (below).
- Be the first person to report the vulnerability.
- Be reasonable with automated scanning methods so as to not degrade services.
- Refrain from disclosing the vulnerability until we've addressed it.
- Report security issue exclusively via the form which is monitored by our security team.
- NEVER try to gain access to real user's account or data.
- You must not leak, manipulate, or destroy any user data.
- Do not impact users with your testing.
IN SCOPE
| Web application | app.clockify.me/signup |
| Android | play.google.com/store/apps/details?id=me.clockify.android |
| iOS | apps.apple.com/us/app/clockify-time-tracker/id1304431926 |
| Chrome Extension | chrome.google.com/webstore/detail/clockify-time-tracker/pmjeegjhjdlccodhacdgbgfagbpmccpe |
| Firefox Extension | addons.mozilla.org/en-US/firefox/addon/clockify-time-tracker/ |
| API Base Endpoint v1 | api.clockify.me/api/v1 |
| API Base Endpoint for Reports | reports.api.clockify.me/v1 |
| API Base Endpoint for PTO | pto.api.clockify.me |
OUT OF SCOPE
| Help | clockify.me/help/ |
| Blog | clockify.me/blog/ |
| Contact | clockify.me/help/contact |
| Forum | forum.clockify.me/ |
| Sales Contact Form | clockify.me/help/contact/sales |
| Bug Bounty Program | security.clockify.me/ |
| Marketplace Developer Portal | developer.marketplace.cake.com/ |
| Subdomains | *.clockify.me |
| * Other landing pages not related to the Clockify application | |
WHAT ARE WE LOOKING FOR
- Cross-site Scripting (XSS)
- Cross-site Request Forgery
- Server-Side Request Forgery (SSRF)
- Database Injections
- Server-side Remote Code Execution (RCE)
- XML External Entity Attacks (XXE)
- Access Control Issues
- Cross-Site Request Forgery on Sensitive Actions or Functions (CSRF/XSRF)
- Exposed Administrative Panels that don't require login credentials
- Anything not listed but important
WHAT WE ARE NOT LOOKING FOR
- Vulnerabilities requiring physical access to the victim's unlocked device
- Denial of Service attacks
- Brute Force attacks
- Spam or Social Engineering techniques
- Content Spoofing
- Best practices concerns
- Issues relating to Password Policy
- Issues relating to token lifetime
- User enumeration
- Full-Path Disclosure on any property
- CSRF-able actions that do not require authentication (or a session) to exploit
- Version number information disclosure
- Reports related to missing security headers
- CSV Injection
- Reverse Tabnabbing
- Race condition
- Rate limit
- Bugs that do not represent any security risk
- Security bugs in third-party applications or services built on the Clockify API
- Vulnerabilities that are limited to unsupported browsers