• Always conduct testing ethically and legally.
• Only Critical and High Vulnerability reports would be awarded.
• If researchers perform any fuzzing activities, they must include the request header X-Comolho-Client in all requests.
• Do not publicly disclose the vulnerability without obtaining explicit consent from Clear Tax.
• Never attempt to access, modify, delete, or store user data.
• If using automated tools or scripts, ensure they do not cause harm or excessive traffic to our platforms.
• Use only your own accounts for testing. Do not interact with or exploit other real users' accounts.
• Do not conduct tests that may degrade our services or impact our users.
• Already known issues will be rejected as duplicate.

Prohibited Activities:

• Unauthorized data access (viewing or altering data that does not belong to you).
• Damaging or corrupting data that is not yours.
• Denial of Service (DoS) attacks.
• Malware handling or distributing malicious software.
• Unsolicited communications like spam.
• External application testing (third-party services integrated with Clear).
• Exploiting vulnerabilities beyond what is necessary to demonstrate them.
• Stored Cross-Site Scripting (XSS) should use harmless payloads for proof of concept.
• Avoid activities that can damage Clear's systems, violate rights, or break any laws.

Focus Areas:

• Insecure Direct Object Reference (IDOR)
• Horizontal & Vertical Privilege Escalation
• Injections
• Unauthenticated API leading to sensitive data exposure

Limited Exploitation Policy

Researchers may test for the following vulnerabilities; however, once exploitability is confirmed and a proof of concept is obtained, further exploitation must stop to avoid service disruption or security risks.

• Server-Side Request Forgery (SSRF)
• Server-Side Template Injection (SSTI) leading to command injection
• Remote Code Execution (RCE)

Eligibility & Compliance

• Age Requirement: Participants must be 18 years or older at the time of submission.
• Affiliation Restrictions: Current and former Clear employees (within 6 months of their last working day), customers, vendors, contractors, and their immediate family members are not eligible to participate. Valid reports submitted by ineligible individuals will not be rewarded.
• Geographic Eligibility: Submissions are accepted globally, subject to local laws and regulations.
• Compliance: Researchers must comply with all terms and conditions of the Clear Tax Bounty Initiative.

Legal & Responsible Disclosure

Clear strictly prohibits any activities that violate applicable laws, regulations, or the Clear Terms of Use. Security research must be conducted in a responsible manner.

Researchers are required to:

• Adhere to all applicable legal standards while conducting security testing.
• Avoid actions that could disrupt services, compromise user data, or cause harm to systems.

Failure to comply with this policy may result in disqualification and could lead to legal consequences, including potential civil or criminal liability.

• Denial of Service (DoS/DDoS) Attacks: Any attempts to disrupt the service is strictly prohibited.
• Clickjacking on pages with no sensitive actions.
• Unconfirmed Reports: Reports without a clear proof-of-concept or lacking detailed steps to reproduce.
• Client-Side Bypasses: Self-client-side bypasses that do not affect other users are informational and won’t qualify for a bounty.
• Admin Issues: Issues with workspace admins (who inherently have full access) are not eligible for rewards.
• SSTI Vulnerabilities: Vulnerabilities related to Server-Side Template Injection (SSTI) that only allow basic mathematical operations will not be considered for bounty rewards.
• ID Reuse Issues: Issues related to the reuse of IDs, such as logging concerns, are not accepted.
• Race Conditions: Bypassing server-side validation via race conditions is not accepted.
• Physical Security Testing: Attempts to physically breach security are out of scope.
• Social Engineering: Any methods to manipulate people into revealing sensitive information are prohibited.
• Phishing Attempts: Fraudulent methods to obtain sensitive information disguised as a trustworthy entity.
• Cross-Site Request Forgery (CSRF)
• Man-in-the-Middle (MITM) Attacks: Altering communications between two parties.
• Vulnerable Libraries: Using known vulnerable libraries without proof of exploitability.
• CSV Injection: Issues with CSV data without a clear security flaw.
• SSL/TLS Configuration Gaps: Missing standard configurations for SSL/TLS.
• Content Spoofing/Text Injection: Issues without clear attack vectors or ability to alter HTML/CSS.
• Rate Limiting/Brute Force: Issues in rate limiting or brute force that do not lead to significant security flaws.
• Missing Security Headers
• Content Security Policy (CSP) Gaps: Missing recommended CSP practices.
• Cookie Flags: Missing HttpOnly or Secure cookie attributes.
• Email Configuration: Incomplete SPF/DKIM/DMARC records.
• Obsolete Browser Vulnerabilities: Vulnerabilities in outdated browsers (more than two stable versions behind).
• Software Version Disclosure: Issues revealing software versions, banners, or error messages.
• Tab Nabbing: Exploiting browser tabs to capture sensitive information.
• Token Leakage via Referer Header
• EXIF Geolocation Data Not Stripped From Uploaded Images
• Failure to Invalidate Session
• CORS Misconfiguration
• User Enumeration
• Self XSS: Self XSS unless it affects other users.
• GraphQL Introspection: Not an issue unless it can be exploited beyond the default schema.
• Third-Party Services: Issues related to third-party services used by Clear.
• Multiple Admin Users: No distinction made between multiple admin users.
• Reports based on data leaked via the Dark Web or social media intel will not be considered.

Carefully review and understand the rules and scope of the bug bounty program. Each program has specific guidelines, eligibility criteria, and a defined scope of systems, applications, or services that are in-scope for testing. Focus your efforts on these areas to ensure your findings are eligible for rewards.

When reporting a vulnerability, commit to providing clear and comprehensive details to help the organization reproduce and validate your findings. Include step-by-step instructions, proof-of-concept code if applicable, and any other relevant information that can assist the organization's security team in understanding and verifying the issue.

Engage in professional communication with the organization's security team. Be responsive to any requests for clarification, additional information, or coordination during the vulnerability verification process. Maintain open and respectful communication throughout the entire process, understanding that both parties are working together to improve security.

Always adhere to responsible disclosure practices. When you discover a vulnerability, avoid exploiting it for malicious purposes or sharing it with unauthorized parties. Instead, immediately report the vulnerability to the program organizers following the reporting process outlined in the program guidelines. This allows the organization to address the issue before potential harm can occur.

Researchers participating in our programs are expected to adhere to specific Safe Harbor provisions. They are assured Legal Protection; by complying with all program terms, they're granted a legal safe harbor, ensuring they won't face lawsuits or legal actions for their reported findings. Participants also commit to Responsible Disclosure, providing ample time to address and rectify vulnerabilities and doesn't disclose any findings publically what so ever. Testing should be confined only to systems they have explicit authorization to assess. Furthermore, during the assessment, data access should be minimized, focusing only on what's necessary to validate a vulnerability, and retaining no user data beyond what is absolutely required.