If you have discovered a security vulnerability on calmlake.net, we encourage you to contact us immediately. We will review all legitimate vulnerability reports and do our best to resolve the issue promptly. Before reporting, please review this document, including the fundamentals, the bounty program, reward guidelines, and what not to report.
Fundamentals If you adhere to the principles below when reporting a security issue to calmlake.net, we will not pursue legal action or investigations against you in response to your report.
We ask that:
- You grant us a reasonable amount of time to review and address an issue you report before publicly disclosing any information about the report or sharing this information with others.
- You do not interact with a personal account (including modifying or accessing account data) unless the account owner has consented to such actions.
- You make a good-faith effort to avoid privacy violations and disruptions to others, including (but not limited to) data destruction and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempting to compromise sensitive company data or seeking out additional issues.)
- You do not violate applicable laws or regulations.
Bounty Program We recognize and reward security researchers who help us ensure the safety of our services by reporting vulnerabilities. Monetary rewards for these reports are entirely at the discretion of calmlake.net, based on the risk involved, impact, and other factors. To potentially qualify for a bounty, you must first meet the following conditions:
- Adhere to our fundamentals (see above).
- Report a security bug—meaning, identify a vulnerability in our services or infrastructure that poses a security or privacy risk. (Note that we ultimately determine the risk of a report, as many bugs are not security issues.)
- Submit your report via our security center. Please do not contact employees.
- If you inadvertently cause a privacy violation or disruption (such as accessing account data, service configurations, or other confidential information) while investigating a bug, disclose it in your report.
- We investigate and respond to all valid reports. Due to the volume of reports we receive, however, we prioritize risk-assessed evaluations and other factors, and it may take some time before you receive a response.
- We reserve the right to publish reports.
Rewards Our rewards are based on the impact of a vulnerability. We will update the program over time, so please provide feedback on any aspect of the program you believe we can improve.
- Please provide detailed reports with reproducible steps. If the report is not detailed enough to initiate an investigation, it will not be eligible for a bounty.
- In the case of duplicates, we award the first report that we can fully reproduce.
- Multiple vulnerabilities caused by an underlying issue receive a bounty.
- We determine that the bounty reward is based on a variety of factors, including (but not limited to) impact, ease of exploitation, and report quality. We specifically note the bounty rewards; these are listed below.
- The amounts below are the maximum we will pay per tier. We aim to be fair, and all reward amounts are at our discretion. Critical Severity Vulnerabilities ($300): Vulnerabilities that lead to privilege escalation from unprivileged to administrator on the platform, remote code execution, financial theft, etc.
Examples:
- Remote Code Execution
- Remote Shell/Command Execution
- Vertical Authentication Bypass
- Targeted Data-Leaking SQL Injection
- Gain Full Access to Accounts
- High Severity Vulnerabilities ($100): Vulnerabilities that impact platform security, including processes it supports.
Examples:
- Lateral Authentication Bypass
- Disclosure of Significant Company Information
- Stored XSS for an Additional User
- Local File Inclusion
- Insecure Management of Authentication Cookies
- Medium Severity Vulnerabilities ($50): Vulnerabilities that impact multiple users, with little or no user interaction required to trigger.
Examples:
- Common Logical Design Flaws and Business Process Defects
- Insecure Verb Object References
- Low Severity Vulnerabilities: Issues that impact singular users and require significant interaction or prerequisites (MITM).
Examples:
- Open Redirection
- Reflective XSS
- Low Sensitivity Information Leaks
Billing and Administration services are available from 9:00 AM to 5:00 PM, business days (Monday to Friday).
If you have any questions, please feel free to contact us. We are ready to provide you with the best services.
CONTACT INFORMATION:
Email: support@calmlake.net
Call us: +1 (0) 2067 046 077