Security
Last updated: May 2026
Found a security issue? We welcome coordinated vulnerability disclosure. Researchers who report issues in good faith have our gratitude, not our lawyers.
Reporting a Vulnerability
If you believe you've found a security issue in Clareio, please send details to security@clareio.co. Helpful information to include:
- A description of the issue and its potential impact
- Steps to reproduce
- Any supporting material such as screenshots or proof-of-concept code
- Your contact information (anonymous reports are also accepted)
Scope
This policy applies to:
- app.clareio.com
- clareio.com
Vulnerabilities in third-party services we use should be reported directly to the respective vendor.
Our Response
We will acknowledge and respond to reports as quickly as we are able, and provide updates as we work through them. We will not pursue legal action against researchers acting in good faith under this policy.
Disclosure Guidelines
To act in good faith under this policy, please:
- Avoid privacy violations, data modification, or service degradation
- Use exploits only to the extent necessary to confirm a vulnerability
- Allow at least 90 days from acknowledgment before public disclosure
- Do not test against other users' accounts or data without their permission
- Stop testing and notify us immediately if you encounter sensitive user data
Out of Scope
The following are typically not eligible under this policy:
- Social engineering attacks against Clareio personnel or users
- Denial of service (DoS) testing or volumetric attacks
- Physical attacks on infrastructure
- Findings from automated tools without demonstrated exploitation
- Issues in third-party services or libraries we depend on (report to the vendor)
- Reports of missing security headers or theoretical vulnerabilities without proof of impact
Contact
Security reports: security@clareio.co