At Everclear, keeping our members' personal information private and secure is a priority to us. Our Security Exploit Bounty program will reward you for the responsible disclosure of any security flaw or security vulnerability if it meets the criteria described below.
- Must identify an original and previously unreported & not publicly disclosed vulnerability.
- The vulnerability must be about the security of user accounts and/or user information.
- The researcher must not reside in a country currently on a United States sanctions list, and must not be on a US list of sanctioned individuals.
- The researcher submitting the bug must not be the author of the vulnerable code.
- You are at least 18 years of age, and, if considered a minor in your place of residence, you have your parent’s or legal guardian’s permission prior to reporting.
- You agree to participate in testing mitigation effectiveness of your finding with the company.
- Keeping details of vulnerabilities secret until Everclear has been notified and had a reasonable amount of time to fix the vulnerability.
- Keeping within the guidelines of our Terms of Service.
Do Not Attempt
Attempting any of the following will result in permanent disqualification from the bug bounty program and possible criminal and/or legal investigation. We do not allow any actions that could negatively impact the experience on our websites or apps.
- Brute-force attacks
- Code injection on live systems
- Disruption or denial-of-service attacks
- The compromise or testing of accounts that are not your own
- Vulnerability scans or automated scans (including scans using tools such as Acunetix, Core Impact or Nessus)
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
We are interested in security vulnerabilities that can be exploited to gain access to member data. We will only qualify and reward a vulnerability if and only if the bug can be successfully used by itself or in combination with another vulnerability you report to access user data that is not yours. General "bugs" are never qualifying vulnerabilities, and anything that is not an exploit is a general "bug." The exploit must rely only on vulnerabilities of Everclear's systems.
Examples of Potentially Qualifying Vulnerabilities
- Authentication flaws
- Circumvention of our Platform/Privacy permissions model
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF/XSRF). This excludes logout CSRF.
- Server-side code execution
Examples of Non-Qualifying Vulnerabilities
- Failures to adhere to "best practices" (for example, common HTTP headers, link expiration or password policy)
- Denial of Service vulnerabilities (DOS)
- Possibilities to send malicious links to people you know
- Security bugs in third-party websites
- Insecure cookies on everclear.com
- Mixed-content scripts on everclear.com
- Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
- Spam or social engineering techniques
Only 1 bounty will be rewarded per vulnerability. Rewards are paid through PayPal. This service collects a fee for processing the transaction, which gets deducted from the amount rewarded. To responsibly disclose a vulnerability, send us an email: firstname.lastname@example.org.
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
We maintain flexibility with our reward system and have no minimum/maximum amount; rewards are based on severity, impact, and report quality.
This is a discretionary program and Everclear reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.