1 Intro

Clario Tech DMCC (hereinafter - Clario) invites security professionals to participate in our bounty program to ensure security of our products and safety of our customers’ data. Please read carefully this program policy before proceeding any further testing activities on the company assets.

2 Program Scope

The program scope includes in-scope assets and in-scope vulnerabilities. Please note, that you are not allowed to test any Clario assets, which are not included in the program scope. Clario will pay no rewards for any discovered vulnerabilities, which are defined as out of vulnerability scope in this program.

2.1 In-Scope Assets

2.1.1 Web services and applications

Web services and applications, directly bound to the domains specified bellow, are in scope of the program. Any other domains, subdomains, services and applications are out of scope.

Tier 1 https://account.mackeeper.com https://kbill.mackeeper.com https://mkapi.mackeeper.com https://crm.clario.co https://chat.clario.co https://chat-crm.clario.co https://yapi.clario.co https://api.account.clario.co

Tier 2 http://dl.mackeeper.com/ https://clario.co https://webapi.clario.co https://mackeeper.com

Tier 3 https://api-ne.mackeeper.com https://updater.mackeeper.com/ https://dcs.clario.co http://event.mackeeper.com/ https://adblocking.clario.co https://inapp.clario.co https://updater.clario.co

2.1.2 Desktop and mobile applications

The next applications are in scope:

Mackeeper app version 6.6 or higher. We will update this number upon changes in our production releases Note: for short period of time, we still accept High and Critical vulnerability reports for older versions of Mackeeper (5.17 and higher)

This application belongs to Tier 1 resources.

Please note, only defined in this table versions of applications are in scope. We do not accept reports on outdated version of applications.

2.2 Vulnerability Scope

While you are allowed to test any technologies within of the specified scope of resources, please consider the next limitations:

2.2.1 Social engineering

We will reward only the reports on purely technical vulnerabilities. Any kind of social engineering activities during your testing within this program are strictly prohibited and might be illegal.

Particularly, you are not allowed:

• contact to our customers for testing purposes
• contact to Clario Customer Support with manipulative aims
• contact to Clario personnel (except contacts via Hacker One platform to dedicated Clario team)

2.2.2 Service disruption

You must not disrupt Clario services. Especially,

• DDOS attacks are strictly prohibited.
• Please avoid any activity that could lead to the disruption of our service (DoS). Intentional service disruption is prohibited.
• You should always enable throttling on your web-scanners and set it to “one request per second”. Unthrottled automated scanning reports could be qualified as N/A.

2.2.3 Customer data access restriction

You must not compromise or disclosure any customer data. Please immediately stop your research and notify Clario in case you have got access to any customer account or data (except your own or those you have explicit written permission from their owners)

2.3 Vulnerabilities out-of-scope

We are not interested and will not reward reports for vulnerabilities specified in this section

2.3.1 Common vulnerabilities excluded from the scope

• Missing best practices in SSL/TLS configuration
• Missing SPF/DMARC/DKIM settings
• Missing best practices in Content Security Policy
• Server/Application error message with no sensitive information leakage
• Previously known vulnerable libraries without a working Proof of Concept
• Theoretical security issues with no realistic exploit scenario
• Issues that would require complex end-user interactions to be exploited
• Vulnerabilities that require root-level physical access to the targeted device to be exploited
• Open ports scanning, banner grabbing, software version disclosure
• MITM attacks (except the reports on VPN vulnerabilities)
• Clickjacking on pages with no severe impact
• Implausible bruteforce attacks
• Rate limiting or bruteforce issues on non-authentication endpoints
• Vulnerabilities which could not be reproduced on the latest versions (by the day of your report) of the browsers Safari, Chrome, Firefox

2.3.2 Common vulnerabilities excluded from the scope if the potential impact is not proven

The next vulnerabilities are usually excluded from scope as “not self-sufficient”. However, you may show them as a part of your attack chain. In this case we will reward your report according the maximum proven vulnerability in your report.

• Content spoofing and text injection in client side only
• Stack traces, path disclosure, and directory listings
• “Mixed Content” issues
• HTTP Options header
• Missing HttpOnly or Secure flags on cookies
• Comma Separated Values (CSV) injection

2.3.3 Out of Scope bugs for Android apps

• Lack of rooting detection
• Runtime hacking exploits (exploits only possible in a rooted environment)
• Lack of binary protection control in android app
• Shared links leaked through the system clipboard
• Any URIs leaked because a malicious app has permission to view URIs opened
• Lack of obfuscation third-party libraries
• User data stored unencrypted on external storage
• OAuth and App secret hard-coded/recoverable in APK
• Any kind of sensitive data stored in app private directory

2.3.4 Out of Scope bugs for iOS apps

• Lack of jailbreak detection is out of scope
• Runtime hacking exploits (exploits only possible in a jailbroken environment)
• Lack of binary protection (anti-debugging) controls
• Lack of Exploit mitigations i.e., PIE, ARC, or Stack Canaries
• Path disclosure in the binary
• Lack of obfuscation third-party libraries
• OAuth and App secret hard-coded/recoverable in APK
• Snapshot/Pasteboard leakage

3 Rewards (bounty)

The reward is calculated based on the target tier (see the Program Scope section of this document) and severity of the vulnerability.

Clario defines severity level based on our self-calculated CVSS score for each specific vulnerability.

Please note, that Clario may use additional factors unrelated to CVSS score to determine the severity level of a vulnerability. This approach is supported by the CVSS v3.1 specification:

"Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include: number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities. These are outside the scope of CVSS".

For example, CVSS methodology uses Confidentiality, Integrity, and Availability as equal factors for the calculations. Clario always emphasises our customer data protection. So, we will rate vulnerabilities related to personal data protection as more critical, than similar vulnerabilities affecting availability only. Our rule of thumb is: “the more likely vulnerability will affect our customers data and the more easily is to reproduce the attack, the higher severity level and the higher reward”.

Another example is attack vector. Clario will not reward vulnerabilities, which requires physical access to customer device to be exploited. These vulnerabilities are explicitly defiled out of scope, while it is still possible calculate CVSS score for such vulnerabilities.

Usually, we also decrease criticality level of vulnerabilities, which do not harm our assets directly, but rather “might be potentially used” as a part of some more complex attack chain. For example, reflected XSS in most cases will be evaluated as “Low”, except you provided PoC for full attack chain with more significant impact.

Please note, that our priority is TECHNICAL issues. The more “social engineering” activities assume your scenario, the less reward you will get.

Bounty calculation table:

TIER 1 Critical - 5000 High - 3000 Medium - 1000 Low - 250

TIER 2 Critical - 3000 High - 1500 Medium - 400 Low - 150

TIER 3 Critical - 1000 High - 750 Medium - 250 Low - 100

Please note, this table specifies the maximum amount paid by Clario as reward. The actual amount will depend also on the report quality. Reports lacking necessary information to enable Clario to efficiently reproduce the issue will not be rewarded. Please read Report Eligibility section for more details.

Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.

4 Report Eligibility

4.1 In order your report to be eligible, you must:

• Be the first party to report the issue
• Provide a clear report, containing steps to reproduce issue and Proof of Concept (PoC)
• Not disclose the issue publicly before Clario approval
• Follow this program policy and do not violate the rules

4.2 Eligible report should include:

• A detailed description of the issue, inclusive potential impact
• Any conditions, prerequisites and steps to reproduce the issue
• Any other supporting documentations (codes, screenshots, references) required to explain the vulnerability and the relevant attack scenario

Please submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact.

4.3 Please DO NOT report:

• purely theoretical and best-practice issues without real impact description and PoC
• unvalidated reports from automated vulnerability scanners
• issues out-of-scope Such reports most likely be closed as "N/A". Submitting multiple N/A reports may result in you being excluded from participating in our program.

5 Response Targets (SLA)

Clario will make the best effort to meet the following SLAs for hackers participating in our program:

SLA (in business days):

• First Response (from report submit) - 2
• Time to Triage (from first response) - 2
• Time to Bounty (from triage) - 14

Time to Resolution depends on severity and complexity.

We will keep you informed about our progress throughout the process.

6 Disclosure Policy

You must not discuss any vulnerabilities (inclusive the resolved ones) outside of the program without express consent from Clario.

Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to not disclose the report or to disclose it only partially.

Please follow HackerOne Disclosure Guidelines.

7 Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered as authorized conduct and we will not initiate any legal actions against you.

If legal actions is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Still, you must comply with all applicable laws, including local laws of the country or region in which you reside or in which you download or use Clario software or services.

8 Feedback

If you have any suggestions or feedback, please let us know at [email protected]