Vulnerability Disclosure Policy
Cloze takes security and protection of user data very seriously. If you think you have discovered a security vulnerability in our software, please let us know by contacting firstname.lastname@example.org.
What to Include
In your report, please provide your name, contact information, and company name (if applicable), along with a detailed description of the issue and how to reproduce it, ideally with a proof-of-concept sample. Provide enough detail for our triage team to be able to reproduce the issue and understand its impact.
DO NOT test or report security vulnerabilities involving:
- Physical access to offices and hardware
- Social engineering (like phishing)
- Denial of service attacks or other testing that uses an inordinate amount of resources and may degrade service to other users
- Users or data in user accounts you do not have authorization to access (provide only information from users under your control; you may create multiple users if necessary, solely to demonstrate a vulnerability across user accounts)
- Password cracking
- Systems integrated with Cloze, outside of the scope of Cloze
- Rooted access to iOS or Android devices
- Really out-of-date or non-mainstream browsers (i.e. IE 6/7/8)
When in doubt, contact email@example.com for clarification of whether a particular activity is okay under this policy before initiating testing.
Cloze will acknowledge receipt of your report, and will provide information about next steps within one business day. We will review and prioritize the vulnerability internally, and may reach out to you if more information is needed. After the review, we will respond with an assessment of the vulnerability, and if appropriate, publicly disclose it. Please do not post or share information about a potential vulnerability before we are able to assess and address it. We will make every effort to respond to and address vulnerabilities rapidly, but it may take some time. Regardless of how long it takes to assess the vulnerability, we will provide periodic updates to you.
The information you provide under this policy will be kept confidential within Cloze, and we will not share it with third parties without your permission. However, if the issue you found is within the scope of third-party infrastructure and/or software, we may disclose the nature of the vulnerability to the third party after notifying you. We will never share personal or sensitive information to the third party in that case without your permission.
We’re not an Internet giant, but will happily award between $100-$300 for critical disclosures, and may award more at our discretion.
Please note that we are not a huge company, and all of our engineers have many responsibilities in addition to keeping our product secure. Since that is the case, there may be a lag in responses from us, and there may be some time between submission and the patching of the vulnerability. We’re sorry if you bump into either of these things, but promise that we will eventually evaluate and respond to your submissions.
Here are some other things to know about our bug bounty program:
- You are the original source of the bug through your own research, and you are the first person to report the particular vulnerability to us.
- You have given/are giving us a reasonable amount of time to act upon the disclosure before disclosing it to any other organization, or to the public.
- You are not a minor, nor are you on any list of people we are not legally allowed to do business with.
- Please do not run any automated exploit scanners without a limited scope. This generates spam for us, and is annoying, and will likely cover a lot of ground that has already been tread.
- We reserve the right to refuse or grant awards solely at our discretion, and to modify our bug bounty program at any time with no prior notice. We’ll try not to be reasonable about it, though.
- We leave any tax implications or legal standing in your own country to be entirely your own responsibility.