Clovia Responsible Disclosure Policy
At Clovia, we take the security of our systems seriously, and it is our constant endeavour to make our website a safe place for our customers to use. However, in the rare case when some security researcher or member of the general public identifies a vulnerability in our systems, and responsibly shares the details of it with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge your contributions publicly.How to report a bug? If you happen to have identified a vulnerability on any of our web properties, we request you to follow the steps outlined below:
- Please contact us immediately by sending an email to firstname.lastname@example.org with the necessary details to recreate the vulnerability scenario. This may include screenshots, videos or simple text instructions.
- Please share your contact details (email, phone number), so that our security team can reach out to you if further inputs are needed to identify or close the problem.
- Do provide enough information to reproduce the problem, so we will be able to resolve it as quickly as possible.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.
Generally speaking, any bug that poses a significant vulnerability could be eligible for recognition but it's entirely at our discretion to decide whether a bug is significant enough to be eligible for recognition Security issues that typically would be eligible listed under Vulnerability Categories.Vulnerability Categories:
- Cross-Site Request Forgery (CSRF)
- Cross-Site Scripting (XSS)
- Code Executions
- SQL injections
- Server-Side Request Forgery (SSRF)
- Privilege Escalations
- Authentication Bypasses
- File inclusions (Local & Remote)
- Protection Mechanism bypasses (CSRF bypass, etc.)
- Leakage of sensitive data
- Directory Traversal
- Payment manipulation
- Administration portals without authentication mechanism
- Open redirects which allow stealing tokens/secrets
- Don't violate the privacy of other users, destroy data, disrupt our services, etc.
- Only target your own accounts in the process of investigating any bugs/findings. Don't target, attempt to access, or otherwise disrupt the accounts of other users.
- Don't target our physical security measures, or attempt to use social engineering, spam, distributed denial of service (DDOS) attacks, etc.
- In case you find a severe vulnerability that allows system access, you must not proceed further.
- It is Clovia's decision to determine when and how bugs should be addressed and fixed.
- Disclosing bugs to a party other than Clovia is forbidden, all bug reports are to remain at the reporter and Clovia's discretion.
- Threatening of any kind will automatically disqualify you from participating in the program.
- Exploiting or mis-using the vulnerability for own or others benefit will automatically disqualify the report.
- Bug disclosure communications with Clovia's Security/Technology Team are to remain confidential. Researchers must destroy all artifacts created to document vulnerabilities (POC code, videos, screenshots) after the bug report is closed.
We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition to individuals who report security issues responsibly and help us make Clovia's systems more secure.A big thank-you! Contributors – Clovia Responsible Disclosure Program
Clovia would like to thank all individuals who have discovered and reported vulnerabilities in Clovia system as per the responsible disclosure program. We sincerely appreciate the efforts of each individual listed below and we thank them for their technical skills, security knowledge, and constructive engagement with Clovia.
2021 Mohit Gadiya 2020 Vasu Yadav 2019 Sumit Sahoo