Security
Vulnerability Disclosure Policy
Last updated: 2026-06-05
DRAFT — This document is a template for review by qualified legal counsel before being relied upon. It does not constitute legal advice.
We welcome reports from the security community. If you believe you have found a security vulnerability in Clarity Stream, please report it to us so we can fix it quickly and safely.
Contact
Email: security@clarity-stream.example
See also: /.well-known/security.txt
Scope
- Production domains operated by Clarity Stream.
- Clarity Stream web application and APIs.
- Clarity Stream-published mobile/desktop clients.
Out of scope
- Denial-of-service or volumetric attacks.
- Social engineering of Clarity Stream employees or customers.
- Physical attacks against our offices or staff.
- Vulnerabilities in third-party services (please report to them directly).
Safe harbor
We will not pursue civil or criminal action against researchers who act in good faith, comply with this policy, avoid privacy violations and data destruction, and give us reasonable time to remediate before public disclosure (typically 90 days).
Recognition
We maintain a Hall of Fame for valid reports. A formal bug bounty program is on our roadmap.