Responsible Disclosure

Responsible Disclosure

The Lead Tree International Corporation Responsible Disclosure Program

The Lead Tree International Corporation values independent Security Researchers to improve the security of our service. The Lead Tree International Corporation encourages the security community to report any issue to us directly and not to the public. We wish to foster cooperation within the security community. The following policy reflects our program rules. This program is subject to change at any time.

Scope of Qualifying Issues

The following issues, at The Lead Tree International Corporation’s discretion, on the production https://clarkoutsourcing.com/* domain.

  • Injection
  • Broken Authentication
  • Sensitive Data Exposure
  • Broken Access Control
  • Cross-Site Scripting (XSS)
  • Insecure Deserialization
  • Using non-essential third-party components with known critical vulnerabilities

In addition:

  • The reporter of the issue must be the one that discovered the issue (no third-parties)
  • The reporter must provide adequate time for issue response from The Lead Tree International Corporation and not disclose anything about the issue publicly until The Lead Tree International Corporation has acknowledged resolution or a final status
  • The reporter must not modify or access data or code that they do not own
  • The reporter must not exploit any issue to cause damage to The Lead Tree International Corporation systems

Non-Qualifying Issues

Non-Qualifying issues are at The Lead Tree International Corporation’s discretion including, but not limited to, the following:

  • Issues in third party provided systems, data, and tools
  • Output from automated off the shelf security scanning tools (for example, Qualys, BurpSuite)
  • Generic vulnerability reports not explicitly pertaining to the aweber.com domain
  • Issues resulting from out-of-date browser specific usage
  • Simple, not-XSS content injection or URL redirection
  • Cookie flags
  • Logout cross-site request forgery
  • Sending of spam
  • Fraud-related activity or Account disputes
  • Social Engineering or Physical Testing of AWeber facilities
  • Denial of Service Attempts
  • Functionality, UX, and UI defects that do not create a security threat
  • Duplicate reports of issues previously reported by another researcher
  • Duplicate reports of the same type of vulnerability on multiple pages or fields (for example, Stored XSS that executes from multiple fields)
  • Best practices or additional hardening where there are already mitigating controls in place sufficient to reasonably protect The Lead Tree International Corporation users
  • Issues on any of our Blogs or videos

Reporting an issue

Send an email to info@clarkoutsourcing.com with the following information.

Incomplete or inaccurate reports that cannot be replicated will be deemed ineligible for any reward and may not receive a response.

  • Summary of the issue
  • URL(s) or location of issue
  • Description and Details
    • What is the issue
    • What is the impact
    • Replication steps
    • Proof of Concept
  • Trace Dump / HTTP Request
  • Any additional info
  • Attachments or Links of screenshots or other images
  • Your name, email, and other contact information

What is done with my report?

Each report will be evaluated as they are submitted for legitimacy. The Lead Tree International Corporation will prioritize correcting all legitimate issues identified based on criticality. Please allow sufficient time for review which may take a few weeks to complete. In addition, please allow sufficient time for resolution of any issues as resolution time frames are based on criticality and complexity. If your report is the first instance of a unique issue, we will contact you within a reasonable amount of time to let you know if you are eligible for a reward.

The Lead Tree International Corporation will not pursue legal action against individuals who follow all program rules where research is conducted in good faith with no impact to The Lead Tree International Corporation or its customers, partners, or advocates.

By submitting a report, you consent to provide your personal data to The Lead Tree International Corporation to contact you to clarify claims in your report and for facilitating any reward distribution.

Rewards

For any qualifying confirmed issue, The Lead Tree International Corporation will compensate you with swag or monetary rewards.

Rewards will be commensurate with vulnerability criticality.

The Lead Tree International Corporation will determine the reward value at our sole discretion and all decisions are final.

Rewards will be paid only after issues are resolved fully and a solution is in place in our production environment.

Restrictions

  • This program is not open to minors, individuals on sanctions lists, individuals in countries on sanctions lists, or The Lead Tree International Corporation employees.
  • You are responsible for any tax implications or additional restrictions depending on your country and local law.
  • All payments will be made in US Dollars (USD) via mailed check within the US or PayPal. Swag can only be shipped to a US address.
  • We reserve the right to cancel this program at any time and the decision to pay a reward is entirely at The Lead Tree International Corporation’s discretion.
  • The Lead Tree International Corporation will not negotiate any rewards if put under duress.
  • You must not violate any local, national, or international law in the course of your research.
  • You must not disrupt any The Lead Tree International Corporation service or compromise any The Lead Tree International Corporation customer data which includes moving beyond a “proof-of-concept” for issue reproduction.

Request a free BPO Consulting - Remote Staffing Quote

Have an exciting project for us?

Awesome! We'd love to hear about it

Contact us today!