Clef Whitehat & Bug Bounty Program

Security researchers from all over the world help us keep Clef secure.

Our whitehat & bug bounty program

At Clef, we're building usable two-factor authentication for consumers. We take the security and privacy of our users very seriously, and we welcome working with security experts to make our product, and the Internet, better.

If you believe you've found a vulnerability, we'd love to work with you through our Responsible Disclosure Program. Please include a detailed summary of the issue you discovered so we can reproduce it and assess its severity.

Rewards

The minimum reward offered to whitehat researchers is $32 USD (paid in Bitcoin or USD, your choice). To earn a reward, you must report a previously unknown vulnerability of sufficient severity.

Eligibility

To be eligible, you must:

  1. Be the first person to responsibly disclose the bug.
  2. Report a bug that could compromise our users' private data, circumvent authentication or system protections, or enable access within our infrastructure.
  3. Assist in our review of the issue (on a case-by-case basis) to determine if you are eligible

A good report has:

  • Detailed steps for reproducing the bug
  • A concrete attack scenario answering how the vulnerability in question would impact Clef or our customers
Scope & rules of engagement

The following web properties owned by Clef are in scope for the program:

  • getclef.com (our static site)
  • dashboard.getclef.com (our dashboard site)
  • *.clef.io (our API server)
  • We are especially interested in vulnerabilities in our API or vulnerabilities which may allow unauthorized access/logins.

The following web properties are not in scope for the program:

  • support.getclef.com (not hosted by us)
  • docs.getclef.com (not hosted by us)
  • blog.getclef.com (a WordPress site)
  • Customer sites or sites which have integrated with Clef are also out of scope.
  • Our mobile apps are also currently out of scope, but we are constantly re-evaluating this program.

The following conditions are also not in scope for this program. Any of the activities below will disqualify participation from the program:

  • Intentionally harming the experience or usefulness of Clef to others (i.e. Denial-of-service)
  • Attempts to view, modify, or damage data belonging to others
  • Physical attacks against Clef employees, offices, and data centers
  • Social engineering of Clef employees, contractors, vendors, or service providers
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages
  • Any vulnerability obtained through the compromise of a Clef customer or employee accounts. If you need to test a vulnerability, please create a free account.
Disclosure

To disclose a security vulnerability, please email security@getclef.com with a detailed report on the issue. You can find our PGP public key below.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.4
Comment: Hostname: pgp.mit.edu

mQENBFH0CDYBCADQPUcOhTolB0sn1b265xqWnxINHyZoN6Qqf05aulFYmkFgK6wdicLBHcmP
JYmi+mwpRgQ+ye5jYniE6ojM1hN4D+cOAQ/eTJ6nHDykSkV5RWeB65kWopSJQPeJwTGE0+Xr
Sb5cRyxAdj2sVk8ri0gDxpL/E6c8CwRxsgCJKmnoUJCZsXp4MsguFbzZirRSLRSNkY3MV1Ui
OQ92AVzpS+Er9atlYI0WjXWj1to8H6zXBdn59nO2kWYJIJo7cDDbbwjBi98cMTm3UFlvhH6q
rI0ROV9yltikk9VjtvB6aaxPjEPb2lI2m7qY42YGXSpye6xmen8gYCeGxMkiA1jBaeStABEB
AAG0JENsZWYgU2VjdXJpdHkgPHNlY3VyaXR5QGdldGNsZWYuY29tPokBPQQTAQoAJwUCUfQI
NgIbLwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRDn3SaPdx/BZJ30CACYr5Xo
YDENwHxRJ3RCA6e95FY3NUcHCRG5JHUgTX+m+YMDZG6ldJqZYsr036ODLQm/L37l2J13ddze
9mwZZDL+GOxHb4jN8FXoc7t6HGGIYqHCoTHl1i0cEXC6dxFeGlecLPDQOHS53NqvlzFOcsno
QqwvFMm8ZmY+ZxyQ0+9IFOW9Z17OflYknlc3Nhy176yAwfEOqF9sQlqhFe+bu6O/RO8xjqss
m/R42B+wOrEUPT93Vesqfk3TkytHdApLRkKYfimpn7/tAKddsMaIltO+rlUXuRgkaXOT8veO
VXLf/6rOAcqvoB+uLazyY7OfBH2/P3j+SIROyIk8zVf1xGgouQENBFH0CDYBCAC+nb2nphOp
eHCQXI9WtZoKnXHtsLMylAstBtjj99sF8a//vjj0N5lRaqBCZ/294E69EOQNiPcrMiR96vo9
y2symlK27/DZFMHnlM1J3eglaiRXKkdwgfVHBSDMJAaH3vB65sGr9WyigTUWTlfuM92BAwyM
5dz7U0FZWUpjP/mHumA6mFQ2CLmbBS60qpfb5Zg6ajkauoa7HhwbY/3l5SvnxAWdhldEDW37
mfNPlbBUcUJPz+6TaeVGwPe0PJaSDc3xcNO8dG7pt4+wGybE0yi3LnttRYyANUhrUNEHcxwg
0B2oa8tr3hcYpBdgI6wRhQGvYidkj9sYRaO6lPy/tNCvABEBAAGJAkQEGAEKAA8FAlH0CDYC
Gy4FCQeGH4ABKQkQ590mj3cfwWTAXSAEGQEKAAYFAlH0CDYACgkQjTg/jWOnu5UQuQgAidJ4
VsHYNIiz3MPnaBtzSx0PCXAlNavFE+Kys6WX7qEZwuHhhrIQSiYJKJwkidU/SHORww7eHS7Z
7luvi9BTPoyQ0cbVEwfRL7QzJY4cVJflqGPNx4M08aJ6CCMeSEHUa8hYPUvlWZJNzlDhsXmI
NHND/l+CJsLO/V51fP1n9/kC157Za9zBXV0wlDwj5DhiR8LP9zn6fDV6pfmb3TvNyxZExCNK
uj7CF3oO2IEloqJPwF/G4do1AzDBo9LqvetZ4z1CWJbP/NsbPWHG5jY5oFe3QJaM2bbrMQ5B
ryXLM37s1PwGd4lvt+AiX6ApVwAIG+RFhDoPLFCgKezyEYc+XDlPB/wIh8DBV5Q4wOw9GaJo
3MLbQG/MoAbgU9bsT49Ex7V8bB3AVlmQbTYKA4BdvlgumvS9kNwhkgyPX8g4052vIIG4Rp+A
1DaIdwq/SyA2JAvFAm72543hfXPE/biu3YPMx9djCKDM8ALpkfmuyMxEstcKaL0oHlWExroQ
v/iMZrSN2lwJQzYNgy34rQD7UQlFF3TljjOgNdovXGf4k6WkDNDBLT+Za4UkIlDxxPUo/pxB
gD4FwXvolaGUOziG3iQr+Fml0W9M8Plt9g0ggbxks73UmWNNAMC795d5ctucpm4lbAvCuIdc
tXzyREbMFtpa/Yt5xIV6IaZyQUfXSzdMUWvP
=FThV
-----END PGP PUBLIC KEY BLOCK-----