Vulnerability Disclosure Policy
Clari encourages researchers to follow responsible disclosure procedures when reporting security issues in our products, services, websites, or infrastructure. Clari is committed to engaging with the research community in a positive, professional, mutually beneficial manner that protects our customers.
Expectations
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
- Our rewards are based on the severity of a vulnerability. Please note that all program parameters, including reward payments, are up to the discretion of Clari and may change at any time.
Disclosure
- Let us know as soon as possible upon discovery of a potential security issue, and we’ll make every effort to quickly resolve the issue.
- When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
- Submit one vulnerability per report. Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
While we accept vulnerabilities on any assets that we own/control, we are particularly interested in vulnerabilities in our products. Please submit any potential findings to VDP@clari.com. Clari values your efforts and promises to remain responsive; update you as your reports are triaged and remediated.
Focused interest
- Attacks that lead to compromise of Clari user data
- Compromise of Clari user accounts
- Remote code execution on systems and applications
- Access to administrator/superuser accounts
- Arbitrary access to a user’s sensitive data/functionality
- Access to underlying containers
- Access to unauthorized data as authenticated user
- Privilege escalation as authenticated user to non superuser
- Sites accepting authentication without https protections
Out of scope
When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues should be considered out of scope:
- Social engineering attempts on Clari personnel or our customers including e-mail phishing attacks, texts, and phone calls.
- Any other vulnerabilities that involve directly sending email to Clari email addresses.
- *Clickjacking on pages with no sensitive actions
- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
- Attacks requiring MITM or physical access to a user's device.
- Previously known vulnerable libraries without a working Proof of Concept.
- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
- Missing best practices in SSL/TLS configuration.
- Any activity that could lead to the disruption of our service (DoS).
- Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
- Lack of Rate limiting or bruteforce issues
- Missing best practices in Content Security Policy.
- Missing HttpOnly or Secure flags on non-sensitive cookies
- Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
- Vulnerabilities only affecting users of outdated or unpatched browsers [More than 2 stable versions behind the latest released stable version]
- Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
- Tabnabbing
- Open Redirects that are not chained into a more impactful vulnerability
- Broken links in documentation
Legal
Clari reserves the right to cancel or modify this program at any time. All engagements will be honored to the conditions in existence at the time of verification of the issue.
- In connection with your participation in this program you agree to comply with all applicable laws and Clari policies.
- Please avoid unauthorized access to another person's accounts or data, destruction of data, and interruption or degradation of our infrastructure and services. If you do encounter personally identifiable information, customer data or other sensitive information, contact us immediately, do not proceed with access, and do not retain any copies of such information.
- The vulnerability report and all vulnerabilities therein as well as any confidential data accessed pursuant to a vulnerability shall be Clari confidential information and you shall (i) protect that information using at least a reasonable degree of care, (ii) not use such information other than to provide such information to Clari in connection with the program, and (iii) not divulge to any third person any such information until disclosure is approved in writing by Clari.
- If you’re a minor, on a sanctions list, or live in a country that’s on a sanctions list, we cannot provide a reward.
- Decision making, including participation eligibility and reward payment, is ultimately up to Clari's discretion.
Thank you for your commitment to responsible vulnerability reporting and thank you for helping keep Clari and our customers safe.