Security Disclosure Policy

Security is everybody's business. We pride ourselves on making Cleafy a secure product, but we are aware that no software is ever bug free. As such, there will occasionally be security issues. This policy outlines how we approach security vulnerabilities.


Guiding Principles

  • We prioritise our customer's security interests over our own business interests.
  • All customers deserve to know if even the most minor of their personal data is leaked.
  • No-one benefits when security vulnerabilities are kept hidden.
  • Security at Cleafy isn't a silo, it's everyone's responsibility.

Responsible Disclosure

In general we follow the practice of responsible disclosure:

  • We will respond to security incidents as a priority.
  • We will fix the issue as soon as practicable, keeping in mind that not all risks are created equal.
  • We will always transparently let customers know about any incident that affects them. Usually this will be after fixing it, unless the fix is likely to take more than 24 hours and the risk is so high that customers would be better off disabling or uninstalling Cleafy than wait for a fix.

Vulnerability Rewards

We currently do not have a monetary rewards program for unsolicited security research, nor do we have a bug bounty program in place.

Report a Security Vulnerability

If you have a concern regarding security with Cleafy, or would like to report a security vulnerability, please send an email to security@cleafy.com.

For security vulnerabilities, please include as much information as possible, with full details about how to reproduce and validate the vulnerability, preferably with a proof of concept. If you wish to encrypt your report, please use our PGP key.
Please give us a reasonable amount of time to correct the issue, before making it public.

We will respond to your report within 1 business day.

Last update June 17, 2020