ClaresiaTrust
Coordinated disclosure

Vulnerability disclosure & bug bounty

Claresia welcomes security research and rewards qualifying vulnerability reports. The public Bugcrowd / HackerOne program launches Q3 2026; until then, report directly to security@claresia.com under our public Vulnerability Disclosure Policy.
Disclosure policy
Active today
Bugcrowd / HackerOne
Q3 2026
Safe harbor
Active
Response SLA
24h ack · 7d triage

Vulnerability Disclosure Policy

Claresia commits to the following when a security researcher reports a vulnerability in good faith:

  • We will acknowledge receipt within 24 hours (business days).
  • We will triage and assign a severity within 7 days.
  • We will keep you informed of remediation progress and timeline.
  • We will not pursue legal action against good-faith research that adheres to this policy.
  • We will credit you publicly on this page (with your consent) when the issue is resolved.

Safe harbor

Activities conducted in good faith and consistent with this policy are authorised. Claresia will not pursue or support any legal action related to your research, will work with you to understand and resolve the issue quickly, and considers your activity authorised under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and applicable foreign-law equivalents.

In scope

  • *.claresia.com — every public production subdomain
  • app.claresia.com (Command Center)
  • hub.claresia.com (Hub viewer)
  • docs.claresia.com (Documentation)
  • onboarding.claresia.com (Onboarding Portal)
  • Browser extension on Chrome, Edge, Firefox
  • Teams app + Slack app published in marketplaces
  • Distribution Plane LLM publishing endpoints

Out of scope

  • trust.claresia.com (this site — static, no production data)
  • Status page (status.claresia.com — managed by Statuspage)
  • Marketing site (claresia.com — no production data)
  • Theoretical attacks against third-party LLM providers (report to Anthropic / OpenAI / Google directly)
  • Social engineering of Claresia employees
  • Physical attacks against Claresia staff or property
  • Denial-of-service attacks
  • Findings exclusively dependent on outdated browsers (>2 versions behind current)

Reward ranges (effective at Q3 2026 program launch)

Severity Reward range Examples
Critical $5,000 – $15,000 Customer-data exfiltration, account takeover at scale, privilege escalation across tenants.
High $1,500 – $5,000 Single-tenant data exposure, authentication bypass, persistent stored XSS in admin surface.
Medium $500 – $1,500 Reflected XSS, CSRF on sensitive endpoints, sensitive information disclosure.
Low $100 – $500 Configuration weaknesses, security-relevant rate limits, low-impact misconfigurations.

Until the public program launches, qualifying reports submitted to vdp@claresia.com will be eligible retroactively for these rewards.

Report a vulnerability

Email a clear writeup including: affected URL, reproduction steps, impact assessment, and any proof-of-concept. Encrypt sensitive details with our PGP key (available on request). We acknowledge within 24 business hours.

vdp@claresia.com Request PGP key