Privacy

Responsible disclosure

Happy women looking at a cellphone

Responsible Disclosure Program

At Cleverly, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability within our product, we would like to know about it so we can take steps to address it as soon as possible. We will investigate the submission and if found valid, take necessary corrective measures. We request you to review our responsible disclosure policy as mentioned below along with the reporting guidelines, before you report a security issue.

The information on this page is intended for security researchers interested in reporting security vulnerabilities to Cleverly’s security team. If you are a Cleverly customer and have concerns regarding non-information security related issues or seeking information about your Cleverly account / complaints, please reach out to our customer support or contact us at support@cleverly.ai.

Reporting security issues

E-mail your findings to security@cleverly.ai.

Encrypt your findings using our PGP key to prevent this critical information from falling into the wrong hands.

Rewards

We do not offer a bug bounty at this time, but honorable mention will be awarded based on the severity, impact, complexity and the awesomeness of the vulnerability reported and it is at the discretion of Cleverly’s security team.

A certificate of appreciation (soft copy) is reserved for researchers who have been continuously reporting valid security issues to us over a longer period of time.

Reporting guidelines

You should not do any public disclosure of a bug without prior approval from the Cleverly’s security team.
Please understand that due to the high number of submissions, it might take some time to triage the submission or to fix the vulnerability reported by you. Therefore, give us a reasonable amount of time to respond to you.

Originality, quality, and content of the report will be considered while triaging the submission, please make sure that the report clearly explains the impact and exploitability of the issue with a detailed proof of concept.
Please make sure that any information like proof of concept videos, scripts etc., should not be uploaded on any 3rd party website and should be directly attached in the email message that you send us.
You are obliged to share any extra information if asked for, refusal to do so will result in invalidation of the submission.

You are not supposed to access any data/internal resources of Cleverly as well the data of our customers without prior approval from the Cleverly security team.
You must be respectful to our existing applications, and in any case you should not run test-cases which might disrupt our services.

Do not use scanners or automated tools to find vulnerabilities since they’re noisy. Doing so will invalidate your submission and you will be completely banned from Cleverly responsible disclosure program.
We also request you not to attempt attacks such as social engineering, phishing etc. These kinds of findings will not be considered as valid ones, and if caught, might result in appropriate legal action.

Responsibility at our end

  • We will be fast and will try to get back to you as soon as possible.
  • We will keep you updated as we work to fix the bug you have submitted.

Targets in scope

  • app.cleverly.ai
  • api.cleverly.ai
  • zendesk.cleverly.ai
  • salesforce.cleverly.ai
  • freshworks.cleverly.ai

Out of Scope Targets

  • www.cleverly.ai
  • support.cleverly.ai
  • cleverly.ai

* The above list of targets are out of scope even if the domain matches the inscope pattern.

Eligibility

Prerequisites:

  • Be the first researcher to responsibly disclose the bug. Duplicate submissions are not eligible for any recognition.
  • Must adhere to our Responsible disclosure & reporting guidelines (as mentioned above).
  • This program is applicable only for individuals not for organizations.
  • Verify the fix for the reported vulnerability to confirm that the issue is completely resolved.

In scope vulnerability examples

Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data or enable access to a restricted/sensitive system within our infrastructure.

Example of such bugs are:

  • Cross-Site Scripting (XSS)
  • Sql Injection
  • XML external entity (XXE) injection
  • Server Side Template Injection (SSTI)
  • Server Side Request Forgery (SSRF)
  • Cross-Site Request Forgery (on sensitive actions)
  • Broken Authentication / Authorization
  • Broken Session flaws
  • Remote Code Execution (RCE)
  • Privilege Escalation
  • Business Logical flaws
  • Payment Related Issues
  • Misuse/Unauthorized use of our APIs
  • Open Redirects (which allow stealing secrets/tokens)

Out of scope vulnerabilities

Some of the reported issues, which carry low impact, may not qualify. Although we review them on a case-by-case basis, here are some of the common low-risk issues which typically do not earn any recognition:

  • Clickjacking in any form
  • Bugs requiring exceedingly unlikely user interaction (e.g Social engineering)
  • Spamming (e.g. SMS/Email Bombing)
  • Any kind of spoofing attacks or any attacks that leads to phishing (e.g. Email spoofing, Capturing login credentials with fake login page)
  • Denial-of-service attacks or vulnerabilities that leads to DOS/DDOS
  • Login – Logout cross-site request forgery
  • Self XSS
  • Presence of server/software banner or version information
  • Stack traces and Error messages which do not reveal any sensitive data
  • Third party API key disclosures without any impact or which are supposed to be open/public.
  • OPTIONS / TRACE HTTP methods enabled
  • Missing HTTP Security Headers (e.g. Strict-Transport-Security – HSTS)
  • Missing Cookie Flags (e.g. HttpOnly, secure etc)
  • Host Header Injection
  • Broken Links (e.g. 404 Not Found page)
  • Known public files or directories disclosure (e.g. robots.txt, css/images etc)
  • Browser ‘autocomplete’ enabled
  • HTML / Text Injection
  • Forced Browsing to non-sensitive information (e.g. help pages)
  • Certificates/TLS/SSL related issues (e.g. BREACH, POODLE)
  • DNS issues (e.g. Missing CName, SPF records etc.)
  • End of Life Browsers / Old Browser versions (e.g. internet explorer 6)
  • Weak CAPTCHA or CAPTCHA bypass (e.g. using browser addons)
  • Coupon Misuse
  • Brute force on forms (e.g. Contact us page)
  • Brute force on “Login with password” page
  • Account lockout not enforced
  • CSV injection
  • Any kind of vulnerabilities that requires installation of software like web browser add-ons, etc in victim’s machine
  • Rate limit mechanism bypass
  • Kiosk mode / Screen pinning bypass
  • Any kind of vulnerabilities that requires physical device access (e.g. USB debugging), root/jailbroken access or third-party app installation in order to exploit the vulnerability
  • Bypassing root/jailbroken detection
  • SSL Pinning bypass
  • Tapjacking
  • Reporting usage of known-vulnerable software/known CVE’s without proving the exploitability on Cleverly’s infrastructure by providing a proper proof of concept
  • Bug which Cleverly is already aware of or those already classified as ineligible

Changes to Program Terms

The responsible disclosure program, including its policies, is subject to change or cancellation by Cleverly at any time, without notice. As such, Cleverly may amend these program terms and/or its policies at any time by posting a revised version on our website. By continuing to participate in the responsible disclosure program after Cleverly posts any such changes, you implicitly agree to comply with the updated program terms.

Program Termination

In the event you breach any of these program terms or the terms and conditions of Cleverly responsible disclosure program, Cleverly may immediately terminate your participation in the program. In some cases all your previous contributions may also be invalidated.

Legal points

We shall not issue recognition to any individual who does not follow the guidelines of our program and depending upon the action of an individual, we could take strict legal action.

Testing using Tools

Don’t be evil. Practice safe checks. You must not use any automated tools/scripts as those can be disruptive or cause systems to misbehave, doing so will invalidate your submission and you will be completely banned from Cleverly’s responsible disclosure program.