Vulnerability Disclosure
At Cleeng, we take the security of our systems and our customers seriously. We appreciate responsible researchers who help us identify potential vulnerabilities so we can address them quickly and safely.
If you believe you have discovered a security issue in any Cleeng service, please report it to us responsibly as described below.
How to Report
Please send your report to [email protected].
Each submission should describe only one specific vulnerability.
If you’ve identified multiple issues, please submit them separately so that each can be tracked, verified, and resolved efficiently.
Include in your report:
- A clear and detailed description of the vulnerability.
- Steps to reproduce or a working proof-of-concept (PoC).
- The affected URL, endpoint, or system component.
- Any supporting evidence (screenshots, logs, payloads).
Please avoid testing that could impact users or service availability (e.g., denial-of-service, data extraction, or brute-force).
Response and Communication Timeline
We value transparency and commit to providing timely updates during the review process.
| Phase | Target Response Time |
|---|---|
| Acknowledgment | within 2 business days |
| Initial verification and triage | within 10 business days |
| Bounty decision | within 5 business days after triage completion |
| Bounty payout | within 10 business days after receiving a valid invoice |
If we require more information to reproduce or validate the finding, we’ll reach out during the triage phase.
Reward Program
Valid, unique, and impactful vulnerabilities may qualify for a monetary reward. Reward amounts depend on internal severity assessment.
Duplicate, out-of-scope, or purely informational findings do not qualify for a bounty but may still be acknowledged in our Hall of Fame.
Examples of Vulnerabilities Impact
High Impact:
- Remote code execution (RCE) vulnerabilities that allow an attacker to execute code on the server without authorization.
- Authentication bypass vulnerabilities that allow an attacker to bypass authentication mechanisms and gain unauthorized access to sensitive resources.
- SQL injection vulnerabilities that allow an attacker to inject malicious SQL code into a database query and manipulate or retrieve sensitive data.
Medium Impact
- Cross-site scripting (XSS) vulnerabilities that allow an attacker to inject malicious scripts into a web page viewed by other users.
- Cross-site request forgery (CSRF) vulnerabilities that allow an attacker to forge a request to a web application that is executed in the context of an authenticated user.
- Denial-of-service (DoS) vulnerabilities that allow an attacker to overload a server or application by sending a large number of requests or exploiting a resource exhaustion issue.
Low Impact:
- Information disclosure vulnerabilities that allow an attacker to obtain sensitive information about a system or user without authorization.
- Session fixation vulnerabilities that allow an attacker to manipulate a user's session ID and gain unauthorized access to sensitive resources.
- Weak password policies that allow an attacker to guess or brute-force user passwords and gain unauthorized access to sensitive resources.
Out of Scope Vulnerabilities
The following types of vulnerabilities are considered out of scope:
- Issues without a clear security impact or exploit path.
- Generic best-practice recommendations (e.g., missing headers, TLS settings) without a working PoC showing exploitation potential.
- Use of outdated dependencies with no demonstrable risk.
- Self-XSS or issues requiring unrealistic user interaction.
- Denial-of-service, brute-force, or social engineering attempts.
- Findings related to third-party software or infrastructure not owned or operated by Cleeng.
- Automated scanner output or theoretical “what-if” scenarios.
Hall of Fame
Researchers whose work helps improve Cleeng’s security posture may be recognized in our Hall of Fame.
Updated 6 days ago