Trust Center/Vulnerability Disclosure

SECURITY POLICY

Vulnerability disclosure policy

We welcome reports from security researchers. This policy describes how to report vulnerabilities, what we commit to in response, and our coordinated disclosure timeline.

REPORT A VULNERABILITY

security@claremesh.com

For sensitive reports, request our PGP key in your initial message.

Scope

The following are in scope for this policy:

  • claremesh.com and all subdomains
  • ClareMesh edge functions and APIs
  • npm packages: @claremesh/schema, @claremesh/transforms
  • GitHub repositories under github.com/Malikfrazier35/ClareMesh

Out of scope

  • Sub-processor infrastructure (Supabase, Vercel, GitHub) — report to those vendors directly
  • Findings from automated scanners without proof of exploitability
  • Social engineering of ClareMesh employees
  • Physical attacks against ClareMesh facilities
  • DDoS or volumetric attacks
  • Self-XSS or vulnerabilities requiring victim co-operation

What we commit to

Acknowledgment

We respond within 5 business days of your report.

Triage

Initial severity assessment within 10 business days.

Status updates

Progress updates at least every 14 days until resolution.

Coordinated disclosure

90-day coordinated disclosure window. We may request extensions for complex vulnerabilities.

Credit

Public acknowledgment in our security hall of fame (with your permission). Real names or handles welcome.

Safe harbor

We will not pursue legal action against researchers acting in good faith under this policy.

Reporting guidelines

Please include the following in your report:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce — minimal proof of concept preferred
  • Affected URLs, endpoints, or package versions
  • Your contact information for follow-up
  • Whether you intend to publish your findings (and timing)

Bounty program

We do not currently operate a paid bounty program. We're a small team and prioritize fast remediation over monetary rewards. We provide public credit and may offer ClareMesh swag for impactful reports.

Contact

Email security@claremesh.com. PGP key available on request.

Policy version 1.0 · Last updated April 17, 2026