Clario Tech Limited. looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Response Targets

===============

Clario Tech Limited. will make the best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

| ------------- | ------------- |

| First Response (from report submit) | 2 days |

| Time to Triage (from first response) | 2 days |

| Time to Bounty (from triage) | 14 days |

| Time to Resolution | depends on severity and complexity |

We’ll try to keep you informed about our progress throughout the process.

Disclosure Policy

===============

As this is a private program, please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.

Public disclosure of the vulnerability prior to resolution may cancel a pending reward. We reserve the right to not disclose the report or to disclose it only partially.

Follow HackerOne Disclosure Guidelines

Program Guidelines

===============

• Be an ethical hacker

• Do not perform any social engineering or physical attacks against Clario employees or our users. It’s a VERY strict rule!

• Do not disturb support agents in Live Chat with any questions or sending links, etc.

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

• Only interact with accounts you own or with the explicit permission of the account holder.

• Contact us immediately if you do inadvertently encounter user data. Do not view, alter, save, store, transfer, or otherwise access the data and immediately purge any local information upon reporting the vulnerability to Clario Tech Limited.

• Do not disclose the reported vulnerability to others until we’ve had a reasonable time to address it;

• Let us know as soon as possible upon the discovery of a potential security issue;

We reserve the right to disqualify individuals from the program for disrespectful or disruptive behavior.

Test Plan

===============

• When you create an account, use special email addition like <hacker>+hackerone@<domain.com> with registration or that mail (or account) must contain word "hackerone";

• For DoS prevention you must enable throttling on scanners;

• For prevention block your scanner we strongly recommend using User Agent that contains the word "hackerone";

• If you test Live Chat you should use product=HackerOne in GET URL parameter for start the testing chat and bypass the “Contact with support users, especially through Live Chat”. As example:

```

SEND

GET /chat/crm/action=connect/?mode=zchat&sid=123456ab-1234-1234-1234-123456789abc&product=HackerOne&lang=en HTTP/1.1

Host: support.mackeeper.com

User-Agent: wearehackerone

RECV

HTTP/1.1 200 OK

........

{"status":"ok","room":"0123456789aAAAAAAAzZZZZZZZ","isRestored":false,"post":"https://chat-crm.mackeeper.com/post/%25%25clientId%25%25/0123456789aAAAAAAAzZZZZZZZ/","get":"https://chat-crm.mackeeper.com/listen/0123456789aAAAAAAAzZZZZZZZ/?client-id=%25%25clientId%25%25","history":"https://crm.mackeeper.com/chat-api/history/0123456789aAAAAAAAzZZZZZZZ/","clientId":"0123456789abcdef012345"}

SEND

POST /post/0123456789abcdef012345/0123456789aAAAAAAAzZZZZZZZ/ HTTP/1.1

Host: chat-crm.mackeeper.com

User-Agent: wearehackerone

Accept: application/json, text/javascript, /; q=0.01

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

message=body&mestype=sometype

```

If you follow these rules we don't block you.

Report Eligibility

===============

A well-written report in English with a Proof-of-Concept code will allow us to triage your submission more quickly and accurately.

• You must be the first reporter of a vulnerability.

• You may not publicly disclose the vulnerability prior to our resolution

• Multiple vulnerabilities caused by one underlying issue will be awarded one bounty;

• Please provide detailed reports using our template with reproducible steps and working Proof-of-Concept code. If the report is not detailed enough to reproduce the issue or contain the only a purely theoretical impact, the issue will not be eligible for a reward;

• Submit one vulnerability per a report, unless you need to chain vulnerabilities to provide impact;

• Include how you found the bug, the impact, and any potential remediation. The vulnerability must demonstrate security impact to a site or application in scope (see below);

• When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced);

We only disclose reports publicly that are resolved. Also remember - If we cannot reproduce it, we cannot reward you. Make sure your reports are well written. There is no need to describe the security impact of your finding - we understand security risks and we can figure that out.

Reports that are most likely to be dismissed or not eligible for bounty

• Most best-practices - based reports will be dismissed

• Reports that are not directly related to the web-applications on our in-scope domains will most likely be dismissed

• Reports with very low business value (nonexistent risk, very low impact, ...) or reports that are purely theoretical will most likely be dismissed

• Physical or social engineering attacks that pose a direct personal threat will NEVER be processed

• Reports that are plain copy-paste from automated scanners with clearly no thought behind how to exploit the findings will most likely have a low (or no) bounty awarded

• It is not worth reporting self-exploitation or self-xss - there will be no bounties

In scope

===============

Web-services:

https://account.mackeeper.com

*.kromtech.com

*.mackeeper.com

https://account.clario.co

https://adblocking.clario.co

https://api-ne.clario.co

https://chat-crm.clario.co

https://chat.clario.co

https://clario.co

https://crm.clario.co

https://dcs.clario.co

https://dl.clario.co

https://event.clario.co

https://get-unbounce.clario.co

https://inapp.clario.co

https://static-cdn.clario.co

https://sz.clario.co

https://updater.clario.co

https://updatetracker.clario.co

https://webapi.clario.co

https://yapi.clario.co

Applications

• Mackeeper app (described in assets)

• Clario app (described in assets)

• Clario Android app (described in assets)

• Clario iOS app (described in assets)

Mackeeper desktop application downloaded from mackeper.com - https://mackeeper.com

Please note: Use only the latest version of Mackeeper that accessible from https://mackeeper.com

Out of Scope

===============

Web-services:

https://kibana-logs.clario.co

https://vpn.clario.co

https://connect.clario.co

https://jira.clario.co

https://wiki.clario.co

store.mackeeper.com

e.mackeeper.com

*.email.mackeeper.com

payment providers

We are not interested in:

• purely theoretical and best-practice issues;

• Physical or social engineering attack on our employees or customer - STRICTLY PROHIBITED;

• Contact with support users, especially through Live Chat STRICTLY PROHIBITED ;

• Unthrottled automated scanning - please throttle all tools to one request per second;

• Unvalidated reports from automated vulnerability scanners;

• Bruteforcing subdomains;

• Any activity that could lead to the disruption of our service (DoS);

Reports about any vulnerability from the exclusion list below will most likely be closed as "N/A".

Submitting multiple N/A reports may result in you being excluded from participating in our program.

Common vulnerabilities excluded from the scope:

• Clickjacking on pages with no sensitive actions;

• Social engineering (e.g., phishing, vishing, smishing) of Clario Tech Limited. employees and users are strictly prohibited;

• Unauthenticated/logout/login CSRF;

• Implausible bruteforce attacks;

• HTTP Options header

• Missing SPF/DMARC/DKIM settings;

• Server errors with no sensitive information;

• Attacks requiring MITM or physical access to a user's device;

• Previously known vulnerable libraries without a working Proof of Concept;

• Comma Separated Values (CSV) injection without demonstrating a vulnerability;

• Missing best practices in SSL/TLS configuration;

• Denial of Service

• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS;

• Stack traces, path disclosure, and directory listings;

• Rate limiting or bruteforce issues on non-authentication endpoints

• Reports that affect only outdated user agents or platforms. We only consider exploits in the latest versions for Safari, Firefox, Chrome, Edge, supported Android (Android > 7.0) and iOS versions (iOS > 11);

• Missing best practices in Content Security Policy;

• Missing HttpOnly or Secure flags on cookies;

• Reports that include only crash dumps or other automated tool output without a proof of concept code;

• Open ports scanning, banner grabbing, software version disclosure issues;

• MITM attacks on a secure connection and “Mixed Content” issues are out of scope;

• Vulnerabilities that require root-level or physical access on a targeted device are out of scope;

• Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end-user interactions to be exploited;

• Mackeeper desktop application version less than you can download from mackeper.com;

Out of Scope bugs for Android apps

• Lack of rooting detection is out of scope

• Runtime hacking exploits (exploits only possible in a rooted environment)

• Lack of binary protection control in android app

• Shared links leaked through the system clipboard.

• Any URIs leaked because a malicious app has permission to view URIs opened

• Lack of obfuscation third-party libraries is out of scope

• User data stored unencrypted on external storage

• OAuth and App secret hard-coded/recoverable in APK

• Any kind of sensitive data stored in app private directory

Out of Scope bugs for iOS apps

• Lack of jailbreak detection is out of scope

• Runtime hacking exploits (exploits only possible in a jailbroken environment)

• Lack of binary protection (anti-debugging) controls

• Lack of Exploit mitigations ie PIE, ARC, or Stack Canaries

• Path disclosure in the binary

• Lack of obfuscation third-party libraries is out of scope

• OAuth and App secret hard-coded/recoverable in APK

• Snapshot/Pasteboard leakage

This list is not exhaustive. We may at our sole discretion disqualify the report if the vulnerability was found by using harmful and disruptive manners.

Safe Harbor

===============

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

Feedback

===============

If you have any suggestions and feedback, please let us know at bugbounty@weareclario.com

Thank you for helping keep Clario Tech Limited. and our users safe!