Vulnerability Disclosure Policy
Cloze takes security and protection of user data very seriously. If you think you have discovered a security vulnerability in our software, please let us know by contacting firstname.lastname@example.org.
What to Include
In your report, please provide your name, contact information, and company name (if applicable), along with a detailed description of the issue and how to reproduce it, ideally with a proof-of-concept sample. Provide enough detail for our triage team to be able to reproduce the issue and understand its impact.
DO NOT test or report security vulnerabilities involving:
- Physical access to offices and hardware
- Social engineering (like phishing)
- Denial of service attacks or other testing that uses an inordinate amount of resources and may degrade service to other users
- Users or data in user accounts you do not have authorization to access (provide only information from users under your control; you may create multiple users if necessary, solely to demonstrate a vulnerability across user accounts)
- Password cracking
- Systems integrated with Cloze, outside of the scope of Cloze
When in doubt, contact email@example.com for clarification of whether a particular activity is okay under this policy before initiating testing.
Cloze will acknowledge receipt of your report, and will provide information about next steps within one business day. We will review and prioritize the vulnerability internally, and may reach out to you if more information is needed. After the review, we will respond with an assessment of the vulnerability, and if appropriate, publicly disclose it. Please do not post or share information about a potential vulnerability before we are able to assess and address it. We will make every effort to respond to and address vulnerabilities rapidly, but it may take some time. Regardless of how long it takes to assess the vulnerability, we will provide periodic updates to you.
The information you provide under this policy will be kept confidential within Cloze, and we will not share it with third parties without your permission. However, if the issue you found is within the scope of third-party infrastructure and/or software, we may disclose the nature of the vulnerability to the third party after notifying you. We will never share personal or sensitive information to the third party in that case without your permission.