Responsible Disclosure Policy

Introduction

The Claromentis team work hard to secure and protect the availability, integrity, and confidentiality of the company and our customers and we are constantly striving to improve! If you have found a vulnerability, we’d be grateful for your assistance in helping to make our sites and services more secure for our team and our customers. We investigate and assess all reports as a priority. We’ve put together this policy to help you submit any vulnerability to us and to explain the process.

Scope

While Claromentis maintains other sites/services we ask that all security researchers submit vulnerability reports only for what is currently listed below:

  • • www.claromentis.com
  • • discover.claromentis.com
  • • workplace.claromentis.com

How to submit a vulnerability

We invite anyone who has found a security issue to contact our team using the following email address:

security@claromentis.com

To ensure the confidentiality of the email, we ask that you anonymise, mask, or redact any sensitive data, or alternatively please encrypt the data using our public PGP key.

We ask that all submissions to this email address include:

  • • A clear description and evidence of the vulnerability (logs, screenshots, responses)
  • • How to reproduce the issue (include detailed steps)
  • • The URL or IP address of the affected site/service
  • • Your name and contact details

Guidelines

Whilst we encourage you to report any security concerns you may have, we ask that you follow these guidelines:

  • • Submit only vulnerabilities within the scope of this policy, using the contact details described under ‘How to submit a vulnerability’
  • • Share any data to us privately and not with any third party
  • • Refrain from disclosing vulnerability details to the public unless an agreed timeline has expired
  • • You should also adhere to the laws of your location as well as the location of Claromentis and our customers

Under no circumstance should you:

  • • Engage in vulnerability testing outside the scope of this policy
  • • Put the data of Claromentis or customer data at risk
  • • Compromise the availability of any system
  • • Attempt to access any data or information that does not belong to you
  • • Use any social engineering techniques against the Claromentis team or our customers

Our Commitment

We commit to investigating and will attempt to resolve any vulnerability as soon as we can. We aim to respond to all reports within 14 days.

We will not initiate claims against you, so long as all terms set out in this responsible disclosure policy has been adhered to.

Recognition

We don’t offer a financial reward for submissions, however we would like to recognise anyone who takes the time to submit genuine, medium/high risk vulnerabilities. We’ll assess each submission on a case by case basis. If the vulnerability you submit is something we weren’t aware of and we class it to be of significant risk, we’ll ask if you would like for your name to be shown proudly in our hall of fame below!

 

🏆 Hall of Fame 🏆

We’d like to publicly recognise and thank the following people who have helped report security vulnerabilities to us.