Responsible Disclosure Policy

Last update: September 16, 2024

CleanShot team looks forward to working with independent security researchers. As long as you comply with this policy, you are welcome to test and report any vulnerabilities you find in our services. We offer rewards for valid reports to encourage ethical hackers to help us keep our users safe.

Program Rules

Here are the base rules of the CleanShot Bug Bounty program:

  1. Each report must include the steps necessary to reproduce the issue.
  2. Provide us with enough time to resolve the issue before making any information public.
  3. Multiple vulnerabilities caused by the same underlying issue will be awarded one bounty.
  4. Respect user privacy. Make effort to avoid accessing user data beyond what is necessary to demonstrate the vulnerability.
  5. In case multiple researchers report the same vulnerability, only the first report will be rewarded.
  6. Low quality reports, such as automated tool output without providing additional context, low effort reports that reuse a template containing details of another issue, reports that greatly exaggerate the severity of the issue, etc., will not be rewarded.

Scope

The following components are considered in scope for the program:

  1. CleanShot X macOS app.
  2. CleanShot Cloud web app.
  3. CleanShot Cloud backend and infrastructure.

Out of scope

The following actions are considered out of scope for the program, and any report that uses these techniques or has these characteristics will not be rewarded:

  1. Findings from automated tools without providing a Proof of Concept.
  2. Social engineering or phishing of CleanShot employees or contractors.
  3. Physical attacks against CleanShot personnel or infrastructure.
  4. Brute forcing directories or subdomains with automated tools like DirBuster.
  5. Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.).
  6. Vulnerabilities requiring unlikely user interaction.
  7. Missing best practices in Content Security Policies or other HTTP headers without a working Proof of Concept demonstrating a real vulnerability.
  8. Well-known vulnerable software or libraries without a relevant Proof of Concept.
  9. UI and UX bugs and spelling mistakes.
  10. Password policy issues.
  11. Missing best practices in SSL configuration.
  12. Simple DoS attacks, e.g. missing rate-limiting. A DoS attack is only considered in scope if it is a result of a vulnerability that allows an attacker to consume a significant amount of resources with a small amount of requests.
  13. Intended behavior of the application.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you.

Reporting Process

If you believe you have found a security vulnerability in any CleanShot product, or have any questions or suggestions to this policy, please contact us at security@cleanshot.com.

Thank you for helping us keep CleanShot safe!