Guidelines for disclosure

• If a bug is discovered, it must not be publicly disclosed before being fixed by ClickPost.
• ClickPost will not be held responsible for the violation of any guideline, rule, and/or legislation on your end. 
• The privacy and data of users must be protected at all times.
• There should be no disruption to our production systems or destruction of data during security testing. 
• Do not attempt to perform brute-force attacks or denial-of-service attacks.
• If a security issue is discovered, it must not be exploited for any reason whatsoever.
• A proof-of-concept (PoC) submitted must have all the steps required to reproduce the issue.
• The use of automated tools such as Nmap scan or SSL/TLS scan, etc. is strictly prohibited.

Scope of domains

Vulnerabilities within Scope

• SQL Injection
• XXE
• Cross-Site Request Forgery(CSRF)
• Cross-Site Scripting (XSS)
• Excluding Self-XSS
• Broken Authentication
• Broken Session flaws
• Remote Code Execution
• Privilege Escalation
• Directory Traversal - Local File Inclusion
• Insecure Direct Object Reference
• Open redirect
• Misuse/Unauthorized use of ClickPost’s APIs
• Leaking customer's sensitive data
• Email Spoofing - SPF Records Misconfiguration
• Server-Side Request Forgery (SSRF)

Vulnerabilities out of scope

• Any issues related to software or application not under ClickPost’s control
• Vulnerabilities that depend upon social engineering techniques
• Any physical attempts made against ClickPost property
• Minor and trivial issues such as version disclosures
• Clickjacking
• DDOS attacks
• Subdomain Takeover
• CSRF with very limited impact
• Banner Grabbing
• Cookie attributes not set/Secure flag issues
• Reports on outdated browsers
• SSL/TLS controls where other mitigating controls exist
• CORS

If you adhere to the above rules, we will do the following:

Acknowledge your report and work with you to fix the bug

Notify you once the bug is fixed

• Issue bounty awards for eligible findings*