Responsible Disclosure Policy
Introduction
CleverMaps believes that close partnerships with security researchers make everyone more secure. Security researchers play a key role in discovering vulnerabilities that went undiscovered during the software development process. We want to partner with security researchers to better protect our customers.
If you are a security researcher who has found a vulnerability on our platform or website, you can submit your report to security@clevermaps.io.
Guidelines
Any submissions should contain steps to reproduce your proof of concept along with a detailed analysis that will be used to identify the issue and ensure a quick vulnerability fix.
Your contributions help us address vulnerabilities we did not discover during the development process or do not already know about.
Avoid harm to customer data, privacy, and service availability: Since security research may depend on services that our customers use and depend on, avoid research that violates customer privacy, destroys data, or interrupts service. If you discover confidential customer data while researching, stop and contact us immediately so we can work with you to address the issue.
Follow the disclosure process: If you find a vulnerability, report it to us privately and allow us to correct it and protect our customers. We work on reports diligently to address them quickly.
Responsible Disclosure Program Rules
Please review the program rules carefully before you submit a bug report. By participating in CleverMaps' Responsible Disclosure program, you agree to be bound by these rules. As part of our security program, we recognize and encourage responsible security research in our applications.
What Qualifies?
Implementation and design issues that substantially impact CleverMaps platform, customer or employee data, systems and infrastructure within scope. Examples of these would include:
Cross-site scripting,
Cross-site request forgery,
SQL injection,
Authentication flaws (website, mobile, or API),
Access control issues that impact customer communications or other customer data,
Server-side code execution bugs
Bugs that do NOT qualify:
Bugs requiring unlikely user interaction or relying on social engineering
Issues that disclose information about our infrastructure, such as version numbers or banners
Denial of Service
Clickjacking without demonstrable security impact
General best practices related to CSP policies, lack of specific security headers, etc.
Vulnerabilities affecting users of outdated browsers or platforms
Accessing content directly from our CDN (Content Delivery Network)
Password complexity issues for customer accounts,
Logout cross-site request forgery
Mobile security issues that require that the attacker has physical access to the device or that the phone is rooted or jailbroken
Scope
The in-scoped sites:
Rules
The vulnerability must be described for CleverMaps to reproduce the problem. Submissions that contain steps to reproduce your proof of concept along with a detailed analysis or working exploit are eligible for quicker awards because they help us assess the risk posed by a vulnerability quickly.
Researchers must respect our services and our customers’ privacy. They must not: (i) degrade, interrupt, or deny service to our users; (ii) modify, delete, or otherwise misuse CleverMaps customer data, nor access non-public customer information without authorization; (iii) make threats nor demand money/payments in exchange for disclosing vulnerabilities; (iv) publicly disclose vulnerabilities without responsibly disclosing and receiving written approval from CleverMaps first; or (v) otherwise violate CleverMaps´ Terms of Use. Any non-public customer data inadvertently accessed must be promptly deleted and reported to CleverMaps and may not be used for any purpose.
For every report, we will endeavour to (i) acknowledge the vulnerability and provide a time frame for fixing it promptly and (ii) notify you that the issue has been fixed. Our review time will vary depending on the complexity and completeness of your submission.
If you disagree with these Terms, do not send us any submissions.
Disclosure Policy
Protecting our customers is critically important, so we strive to address each report promptly. While we are addressing the report, we require that all submissions remain confidential and not be disclosed to anyone else.
Any information you receive or collect about us, our customers, employees, or customers must be kept confidential and only used in connection with the Responsible Disclosure Program. Researchers must not sell the vulnerability or its details to other parties. They must not share, distribute, or discuss it or any of its details with any other parties until the vulnerability fix has been released, verified, and confirmed by us.
Any public disclosures should only occur after the vulnerability has been resolved and CleverMaps has provided written approval. Failure to comply with the Disclosure Policy will result in immediate disqualification from the Responsible Disclosure Program.
Rewards & Recognition
Due to company size, CleverMaps doesn´t give security researchers any rewards. The recognition will be delivered to all researchers who submitted a qualified bug (after it has been fixed).
Reservation of Rights
CleverMaps reserves the right to change or cancel this program at any time. This offer is void where prohibited by law, and the participant must not violate any law.
Safe Harbor
Any activities conducted in a manner consistent with this policy will be considered authorized conduct, and we will not initiate legal action against you.