Responsible Disclosure Policy
Last update: 13/05/2026
Commitment
Clear Fashion is committed to handling security vulnerability reports in a transparent, prompt, and respectful manner towards researchers who help us improve the security of our systems.
Scope
In scope
| System | URL / Description |
|---|---|
| Rails API | api.clear-fashion.com |
| Partner portal | portal.clear-fashion.com |
| B2C web app | app.clear-fashion.com (or equivalent) |
| Mobile app | iOS / Android Clear Fashion |
| Public widgets | widget.clear-fashion.com |
Out of scope
The following are excluded from this policy:
- DoS / DDoS attacks
- Spam or social engineering (phishing, vishing)
- Physical attacks against our premises or equipment
- Vulnerabilities in third-party services not maintained by Clear Fashion (Heroku, Firebase…)
- Automated scanner findings without proof of exploitability
- Missing best practices without demonstrable impact
Rules of engagement
To be eligible under this policy, the researcher must:
- Not access data that does not belong to them
- Not modify or delete data without explicit consent
- Not disrupt production services
- Not publicly disclose the vulnerability before Clear Fashion has had the opportunity to fix it
- Give Clear Fashion a reasonable time to fix the vulnerability (see timelines below)
In return, Clear Fashion commits to not pursuing legal action against researchers who follow these rules.
How to contact us
Email: security@clear-fashion.com
Encryption: no PGP key is available at this time. If you need to encrypt your report, contact us first to agree on a secure channel.
What makes a good report
- Clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions
- Vulnerability type (OWASP, CWE if possible)
- Affected systems and URLs
- If applicable: screenshots, HTTP requests, proof-of-concept code
Response timelines
| Step | Timeline |
|---|---|
| Acknowledgement | 48 business hours |
| Qualification and classification | 7 days |
| Fix (critical vulnerability) | 72 hours after qualification |
| Fix (high vulnerability) | 7 days after qualification |
| Fix (medium/low vulnerability) | 30 days after qualification |
| Public disclosure authorisation | After fix or mutual agreement |
If Clear Fashion does not meet these timelines, the researcher is free to disclose publicly after a second contact attempt.
What we offer
Clear Fashion is a startup — we do not have a financial bug bounty at this stage. In exchange for responsible disclosure, we offer:
- Acknowledgement and transparent tracking of the resolution
- Credit in our Hall of Fame if desired
- Our sincere gratitude for helping keep our users safe
Hall of Fame
| Date | Researcher | Vulnerability type | Resolution |
|---|---|---|---|
| — | — | — | — |