Submit your report through either of the channels below. To help us triage quickly, please include:

A clear description of the vulnerability and its potential impact

The affected URL, endpoint, or asset

Step-by-step instructions to reproduce the issue

Any tools or techniques used during discovery

Supporting evidence such as screenshots, logs, or proof-of-concept code

Submit a Report

HackerOne VDP: https://hackerone.com/clozd-vdp

Email: vdp@clozd.com

We respect the time researchers put into responsible disclosure. Here are our commitments once you submit a report:

We will keep you informed as we investigate and work toward a fix. We ask that you give us a reasonable window to resolve the issue before any public or third-party disclosure.

Rules of Engagement

To keep research safe and legal for everyone, please follow these guidelines:

Do not access, modify, or delete data that does not belong to you. If you encounter customer data or PII at any point, stop immediately, purge it from your systems, and let us know.

Do not disrupt or degrade Clozd services, including denial-of-service and resource exhaustion attacks.

Do not use social engineering, phishing, or physical access techniques.

Do not exploit a vulnerability beyond what is necessary to confirm it exists.

Comply with all applicable laws and regulations in your jurisdiction and ours.

Program Scope

In Scope

We welcome reports on the following Clozd-owned assets:

Clozd Web Application and Platform (app.clozd.com)

Clozd-owned APIs

Out of Scope

The following are outside the scope of this program and will not be considered:

Physical security testing

Social engineering and phishing attacks

Denial of service and resource exhaustion attacks

Third-party services or infrastructure not owned or operated by Clozd

Safe Harbor

Clozd considers security research conducted in accordance with these guidelines to be authorized activity. We will not pursue civil or criminal legal action against researchers who:

Follow the rules of engagement set out on this page.

Act in good faith and avoid causing harm to Clozd, our customers, or our infrastructure.

Report findings promptly through the designated channels.

Do not exploit a vulnerability beyond confirming its existence.