ClickTime Security Vulnerability Reward Program

Overview

Our team is committed to addressing all security issues in a responsible and timely manner. We assess all reports based on business risk criticality and impact. ClickTime may provide rewards (e.g. bug bounty) to eligible reporters of qualifying original vulnerabilities. We make every effort to be fair and consistent. We may choose to pay higher rewards for severe vulnerabilities or lower rewards for vulnerabilities with low impact.

ClickTime’s Commitment

• We review all submissions.
• ClickTime’s policy is to investigate all reported security vulnerabilities and resolve all legitimate issues.
• You will receive an automated email upon receipt of your submission within 2 days.
• We make every effort to respond within 3 weeks upon receipt of a vulnerability report.
• We will follow up via email after the initial review with our findings.

Reward Eligibility

• Be the first to identify the issue. We receive issues from several security researchers so it is possible the issue you are reporting has already been reported to us.
• Follow all of the rules set forth in this document.
• The report must describe an attack scenario and a real risk for a user.

If you have any questions please write to us: security@clicktime.com

Submission Process

If you find a security vulnerability, please submit an email to security@clicktime.com and include the following information:

• Step-by-step instructions of how to reproduce the issue.
• Screenshots or a screen-recording (video) of the steps to reproduce the issue.
  • Include descriptive text with the video or screenshots.
  • A video is required for any rate-limiting submissions.
• Include all IP addresses or URLs involved (e.g. https://login.clicktime.com, https://app.clicktime.com, etc.).
• Define the vulnerability and how it can be used to compromise security.
• Provide a link to the relevant OWASP page for the submitted issue.
• Suggestion on how to remedy the issue.

Rules for Reporting and Testing

• Do not publicly disclose any details of the vulnerability.
• Do not cause an interruption or degradation of our service.
• Do not use security scanners or tools which may cause DoS, DDoS or scraping-like behaviour.
• Do not perform denial of service attacks, mail bombing, spam, scraping, brute force, or automated attacks with programs like Burp Intruder.
• NEVER try to gain access to a user’s account or data other than your own account(s).
• Do not port scan internal networks.
• Do not use automatic tools against contact or support forms.
• Do not compromise, destroy, alter, or remove any data from our systems.
• Do not impact users with your testing.
• Do not attempt non-technical attacks such as social engineering, phishing, or physical attacks against our employees, users, or infrastructure.
• Do not compromise the privacy of our clients and/or staff.
• Do not use automatic tools to check on the status of your vulnerability submission.
• Use test accounts. Please use email aliases when possible.
  • For example, add +clicktimevulnerability to your email address before the @, e.g. researcher+clicktimevulnerability@example.com
• Any vulnerability found must be reported no later than 48 hours after discovery.

What We Are Looking For

In general, any vulnerability which could negatively affect the security of our users like:

• Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• SQL Injection
• Server-side Remote Code Execution (RCE)
• XML External Entity Attacks (XXE)
• Access Control Issues (Insecure Direct Object Reference issues, etc)
• Exposed Data that does not require login credentials
• Exposed Data from an account other than the one you are logged in with.
• Directory Traversal Issues
• Local File Disclosure (LFD)
• Content Spoofing
• Vulnerabilities located on the following sites:
  • https://login.clicktime.com
  • https://app.clicktime.com
  • https://www.clicktime.com
• Anything not listed but important.

Concatenating vulnerabilities to increase the attack scenario is encouraged.

What We Are NOT Looking For

Rewards are not paid for the following items:

• The output of automated scanners without explanation
• Best practices concerns (we require evidence of a security vulnerability)
• WordPress XMLRPC brute force attacks
• CSV/Excel command injection issues
• Vulnerabilities only affecting users of outdated, unpatched, or unsupported browsers and platforms
  • Link to supported browsers: https://clicktime.com/systemrequirements
• Race conditions that don’t compromise the security of ClickTime or our customers
• Reports about theoretical damage without a real risk
• Attacks requiring physical access to a user’s device or email
• Missing security headers not related to a security vulnerability
• Reports of insecure SSL/TLS ciphers unless you have a working proof of concept
• Banner grabbing issues to figure out the stack we use or software version disclosure
• Open ports without a vulnerability
• Origin IP address exposure
• Disclosure of known public files or directories, (e.g. robots.txt)
• Reports of spam
• Ability to use email aliases (e.g. email+123@gmail.com)
• Ability to use a non-business email address (e.g. email@gmail.com)
• Presence of autocomplete attribute on web forms
• HSTS headers
• Host header injection unless you can show how a third-party can exploit it.
• Vulnerabilities that require a rooted, jailbroken, or software emulated device
• Identifying vulnerabilities in third party services or software (including Intercom).
• Reports of rate-limiting issues based only on a lack of a 429 response. Not all rate-limiting implementations return a 429 error code. 
• Vulnerabilities located on the following sites:
  • https://blog.clicktime.com
  • https://get.clicktime.com
  • https://releasenotes.clicktime.com
  • https://system.clicktime.com
  • https://support.clicktime.com
  • https://clicktime.com/blog
  • https://clicktime.com/timesheet-blog
  • WordPress based sites other than www.clicktime.com
  • Wildcard URL references (*.clicktime.com) such as blahblah.clicktime.com

If you really feel that something listed above will have a great impact on our security, and you have a working proof of concept, please feel free to report it explaining the attack scenario that we are missing, otherwise, it will be classified as Not Applicable.

What is Ineligible for a Reward, but Appreciated

• Recently disclosed 0-day vulnerabilities
• Use of a known-vulnerable library
• Reflected XSS
• Open redirects
• Self-XSS (making users attack themselves generally is not a security issue)
• Any low severity issue (not listed in “What we are not looking for” section)

If you really feel that something listed above will have a great impact on our security, and you have a working proof of concept, please feel free to report it explaining the attack scenario that we are missing, otherwise, it will be classified as Not Applicable.

Legal Points

We are unable to issue rewards to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists. You are responsible for any tax implications depending on your country of residency and citizenship. There may be additional restrictions on your ability to participate depending upon your local law. This is a discretionary rewards program. ClickTime can cancel the program at any time and the decision as to whether or not to pay a reward is entirely at our discretion. Your testing must not violate any law, or disrupt or compromise any data that is not your own. Thank you for helping to keep ClickTime and our users safe.