Vulnerability Disclosure Guidelines

As a security company, keeping our customers safe is Clear InfoSec’s primary concern. Clear InfoSec uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.

At Clear InfoSec we investigate all received vulnerability reports and implement the best course of action to protect our services and customers.

 Identification and reporting a security vulnerability:

If you are a security researcher and have discovered a security vulnerability in our website or products, we appreciate your help in disclosing it to us in a responsible manner.

Privately share the details of suspected vulnerabilities with our Security Team here.

Clear InfoSec will review each submission to determine if the finding: (a) is valid and (b) has not previously been reported.
Clear InfoSec require security researchers to include detailed information with steps for Clear InfoSec’s Information Security Team to efficiently reproduce the vulnerability in order for a security researcher to be considered for monetary compensation.

In addition, to remain compliant with this Policy, security researcher(s) are prohibited from:

• Accessing, downloading, or modifying data, that does not belong to security researcher(s)
• Executing or attempting to execute any “Denial of Service” (DoS) or related attack against any Clear InfoSec website, product or service.
• Posting, transmitting, uploading, linking to, sending, or storing any malicious software on or to any Clear InfoSec website or service.
• Testing any suspected vulnerability in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, or any other form of unsolicited message to our employees and customers.
• Testing any suspected vulnerability in a manner that would degrade or negatively impact the operation of any Clear InfoSec service or system; and/or
• Testing third-party applications, websites, or services that integrate with or link to any Clear InfoSec website or services. 

Our Commitment:

 If you identify a verified vulnerability in compliance with Clear InfoSec’s Responsible Disclosure Policy, we commit to:

• Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
• Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together.
• Allow Clear InfoSec an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, to ensure that Clear InfoSec has developed and thoroughly tested a patch and made it available to our customers at the time of disclosure.
• Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated.
• Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)

Clear InfoSec supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. Clear InfoSec advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
 
The Clear InfoSec (Ana-data) senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various Security team employees have day-to-day operational responsibility for this policy and must ensure that all managers and other employees who may deal with concerns or investigations under this policy receive regular and appropriate training.
 
Clear InfoSec’ Security team reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.
Thanks for your help. We sincerely appreciate the efforts of security researchers.

Out of Scope:

  • Attacks related to email servers, email protocols, email security (e.g., SPF, DMARC, DKIM), or email spam.
  • Reports of Simple IP or Port Scanning
  • Email Security Best Practices or Controls. 
  • Software or Infrastructure bannering/fingerprinting
  • Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
  • Clickjacking or Self XSS
  • Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
 
Please send all your reports to info@clearinfosec.com, with subject line mentioned as “Vulnerability Disclosure”.

 

Last Updated: Sep.09