1. How to report
To help us investigate efficiently, please include, where available:
- A description of the vulnerability
- Affected URL(s), endpoint(s), or feature(s)
- Reproduction steps
- Proof-of-concept materials where appropriate
- Your contact information
2. Our commitment
- We will acknowledge receipt of valid security reports within a reasonable amount of time.
- We will investigate reported issues in good faith.
- We may request additional information to reproduce or validate the issue.
- We will keep reporters informed regarding the status of the investigation where reasonably practicable.
3. Good-faith research
Provided you comply with this Policy, ClarityCheck considers good-faith security research to be authorized. Researchers should:
- Access only the minimum information reasonably necessary to demonstrate the reported issue.
- Immediately stop testing if personal information is encountered beyond what is reasonably necessary to validate the vulnerability.
- Avoid modifying, deleting, retaining, copying, publishing, or disclosing personal information except as reasonably necessary to report the issue to ClarityCheck.
- Avoid disrupting the availability or performance of the Services.
4. Out of scope
This Policy does not authorize:
- Social engineering or phishing
- Physical attacks
- Denial-of-service attacks
- Malware deployment
- Credential stuffing or password attacks
- Spam or excessive automated testing
- Persistence after a vulnerability has been demonstrated
- Accessing data beyond what is reasonably necessary to validate the issue
- Any activity prohibited by applicable law
5. Rewards
6. Public disclosure
We request that researchers refrain from publicly disclosing vulnerabilities until ClarityCheck has had a reasonable opportunity to investigate and remediate the reported issue.
7. Urgent incidents
Active incident? Flag it immediately.
If you believe personal information has been exposed or there is an active security incident requiring immediate attention, indicate URGENT SECURITY INCIDENT in the subject line of your report to [email protected].