Contact: mailto:security@claritylift.ai
Expires: 2027-04-18T00:00:00.000Z
Preferred-Languages: en
Canonical: https://claritylift.ai/.well-known/security.txt
Policy: https://claritylift.ai/privacy

# ClarityLift security contact — Phase 4.10, RFC 9116.
#
# Report a vulnerability: email security@claritylift.ai with a clear
# reproduction. We aim to acknowledge within 2 business days. Please
# do not exploit the issue beyond what is necessary to demonstrate it;
# do not access data belonging to other ClarityLift customers.
#
# Scope:
#   - claritylift.ai and *.claritylift.ai
#   - The ClarityLift Slack app (app id in our Slack listing)
#   - The ClarityLift Microsoft Teams app (app id in the Azure AD listing)
#
# Out of scope:
#   - Issues in third-party services (Azure, OpenAI, Slack, Microsoft
#     Graph, Stripe). Report those directly to the vendor.
#   - Denial-of-service that depends on generating high request volume.
#   - Missing security-hardening headers that do not lead to a working
#     exploit on their own.
#
# We do not run a paid bug bounty today. We will credit researchers
# who follow this policy in our public security acknowledgements once
# we publish one, unless the researcher asks to remain anonymous.