While we don’t run a paid bug bounty program, we genuinely value researchers who help improve PureClarity’s security.
Legal Protection
Our Commitment
When you follow this policy, PureClarity promises: ✅ No legal action against you for security research ✅ Authorized research under applicable laws (CFAA, DMCA, etc.) ✅ Collaborative approach - we work with you, not against you ✅ Good faith treatment throughout the processThis policy provides legal safe harbor for responsible security research conducted within the specified guidelines.
Scope of Testing
✅ Approved Testing Targets
You may test:- *Any .pureclarity.com domains and subdomains
- PureClarity APIs and endpoints
- Mobile applications developed by PureClarity
- JavaScript libraries (on your own test accounts only)
❌ Prohibited Activities
Please do not:- Physical attacks on offices or personnel
- Access other customers’ data or accounts
- Denial of service attacks or service disruption
- Test on customer websites using PureClarity (only test on PureClarity infrastructure)
Testing outside these guidelines may result in legal action and is not covered by this disclosure policy.
Responsible Testing Guidelines
Setting Up for Testing
-
Create a test account
- Sign up for a free PureClarity account
- Clearly mark it as a test/research account
- Use only test data and scenarios
-
Scope limitation
- Test only on your own account data
- Don’t attempt to access other users’ information
- Focus on security vulnerabilities, not privacy violations
-
Testing methodology
- Use manual testing methods when possible
- Avoid automated tools that generate excessive traffic
- Stop immediately if you encounter other users’ data
Quality over quantity - focus on meaningful security issues rather than running comprehensive automated scans.
Reporting Security Issues
Contact Information
Email: support@pureclarity.com Subject Line: “Security Issue: [Brief Description]“Required Information
Include in your report: Issue Details- Clear description of the vulnerability
- Potential impact and risk assessment
- Classification (if known): OWASP category, CVE, etc.
- Step-by-step instructions to reproduce
- Screenshots or videos if helpful
- Specific URLs, parameters, or data involved
- Why this issue matters
- Potential attack scenarios
- Affected systems or users
- Your name (if you want public credit)
- Preferred contact method
- Any affiliation or organization
Clear, detailed reports help us understand and fix issues more quickly.
Response Process
Our Timeline
Initial Response: Within 5 business days- Acknowledgment of receipt
- Initial assessment of the issue
- Confirmation of coverage under this policy
- Progress updates on investigation
- Timeline for potential fixes
- Any additional information needed
- We aim to resolve issues within 90 days
- Complex issues may require additional time
- We’ll keep you informed of any delays
Disclosure Timeline
We request 90 days before public disclosure, but we’re flexible based on the severity and circumstances of the issue.
- Work together on disclosure timeline
- Public credit if desired
- Coordinate any public announcements
Recognition and Thanks
How We Show Appreciation
While we can’t offer cash rewards, we provide: 🏆 Social Media Recognition- Shoutout from our founders on social platforms
- Recognition of your contribution to security
- LinkedIn recommendation from our founders
- Professional reference for security work
- Recognition in security advisories (if desired)
- Credit in our security acknowledgments
Every security report helps us build a better, more secure product for all our customers.
Frequently Asked Questions
What types of issues are you looking for?
High-priority issues:- Authentication bypasses
- SQL injection or other injection attacks
- Cross-site scripting (XSS)
- Access control vulnerabilities
- Data exposure issues
What if I’m not sure if something is a security issue?
When in doubt, report it! We’d rather investigate a non-issue than miss a real vulnerability.Can I test integrations with other platforms?
Only test PureClarity’s components and infrastructure. Don’t test third-party platforms or customer websites.How do I get help with testing?
Email support@pureclarity.com with questions about this policy or testing guidelines.Policy Updates
This policy may be updated periodically. Check back for the latest version before conducting security research.