Clazar Vulnerability Disclosure Policy

At Clazar, security is a top priority. We are committed to maintaining the trust of our customers and partners. This Vulnerability Disclosure Policy describes how security researchers can report potential vulnerabilities in our systems.
We encourage responsible disclosure and will work with you to address security issues promptly.

Scope

The following assets are considered in-scope:

  • *.clazar.io

The following are out of scope:

  • Third-party services (e.g., Heroku, GitHub, Datadog) not owned by Clazar
  • Social engineering, phishing, or physical attacks
  • Denial-of-service (DoS) or brute-force testing
  • Automated scanning without coordination

How to Report

Please report potential vulnerabilities by emailing [email protected].

Include as much detail as possible:

  • Steps to reproduce the issue
  • Any proof-of-concept (PoC) code or screenshots
  • Impact assessment

We will acknowledge your submission within 5 business days.

Non-Acceptable Categories

While we welcome reports that help strengthen Clazar’s security, some types of findings are not eligible for recognition. These typically include issues that are already known, very low-risk, or that provide little to no security value. The following categories are considered out of scope:

  • Denial-of-Service (DoS) or brute-force style attacks.
  • Email and DNS configurations, such as SPF, DKIM, or DMARC alignment.
  • Self-XSS vulnerabilities or injection attacks that only affect the reporting user.
  • Social engineering (e.g., phishing employees, physical intrusion).
  • Spam or spoofing techniques that don’t directly impact Clazar systems.
  • Clickjacking, where the impact is negligible or only UI-based.
  • Cross-Site Request Forgery (CSRF) on anonymous or low-impact actions (e.g., adding items to a favorites list).
  • Version disclosure of software, libraries, or frameworks.
  • Enumeration of usernames, site names, or email addresses without further impact.
  • Unvalidated open redirects or tab-nabbing with no security consequence.
  • Informational issues such as verbose error messages, stack traces, robots.txt, or directory listings.
  • Cookie settings missing Secure or HttpOnly flags where no exploitation is possible.
  • Weak or missing CAPTCHA implementations.
  • TLS/SSL configuration findings (cipher preferences, missing headers, forward secrecy, etc.) that do not result in a practical exploit.
  • Reports of outdated third-party libraries without a proof-of-concept showing how Clazar is affected.

Final determination: Clazar reserves the right to determine whether a reported issue is a valid vulnerability, its severity, and whether it qualifies for recognition under this policy.

Safe Harbor

Clazar is committed to working with security researchers who:

  • Make a good faith effort to avoid privacy violations, service disruptions, or destruction of data.
  • Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue.
  • Give us a reasonable time to remediate before public disclosure.

Recognition

We value contributions from the security community. Valid reports will be recognized in our Security Hall of Fame on the Clazar website.

Have additional questions?

Email us at: [email protected]