Bug Bounty Program
Last update: November 26, 2024
CleanShot team looks forward to working with independent security researchers. As long as you comply with this policy, you are welcome to test and report any vulnerabilities you find in our services. We offer rewards for valid reports to encourage ethical hackers to help us keep our users safe.
Program Rules
Here are the base rules of the CleanShot Bug Bounty program:
- Each report must include the steps necessary to reproduce the issue (Proof of Concept) and demonstrate a real security vulnerability (i.e. having impact on the confidentiality, integrity, or availability of the service).
- Provide us with enough time to resolve the issue before making any information public.
- Multiple vulnerabilities caused by the same underlying issue will be awarded one bounty.
- In case multiple researchers report the same vulnerability, only the first report will be rewarded.
- Respect user privacy. Make effort to avoid accessing user data beyond what is necessary to demonstrate the vulnerability.
- Low quality reports, such as automated tool output without providing additional context, low effort reports that reuse a template containing details of another issue, reports that greatly exaggerate the severity of the issue, etc., will not be rewarded.
Scope
The following components are considered in scope for the program:
- CleanShot X macOS app.
- CleanShot Cloud web app.
- CleanShot Cloud backend and infrastructure.
Out of scope
The following actions are considered out of scope for the program, and any report that uses these techniques or has these characteristics will not be rewarded:
- Missing best practices (e.g. email SPF/DKIM/DMARC, Content Security Policy, HTTP headers, SSL configuration) without a working Proof of Concept demonstrating a real vulnerability.
- Vulnerabilities requiring unlikely user interaction.
- Well-known vulnerable software or libraries without a relevant Proof of Concept.
- UI and UX bugs and spelling mistakes.
- Password policy issues.
- Simple DoS attacks, e.g. missing rate-limiting. A DoS attack is only considered in scope if it is a result of a vulnerability that allows an attacker to consume a significant amount of resources with a small amount of requests.
- Intended behavior of the application.
Prohibited Actions
- Social engineering or phishing of CleanShot employees or contractors.
- Physical attacks against CleanShot personnel or infrastructure.
- Brute forcing directories or subdomains with automated tools like DirBuster.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.
Reporting Process
If you believe you have found a security vulnerability in any CleanShot product, or have any questions or suggestions to this policy, please contact us at security@cleanshot.com.
Thank you for helping us keep CleanShot safe!