Vulnerability Disclosure Policy

Purpose

This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities directed at Clari’s Web, Mobile app and infrastructure, as well as submitting discovered vulnerabilities.

Overview

Maintaining the security of our production environment is a high priority for us.

The responsible security researcher community regularly makes valuable contributions to the security of organizations and the broader Internet, and Clari recognizes that fostering a close relationship with the community will help improve our own security. So if you have information about a vulnerability in our website or SaaS platform, we want to hear from you!

Information submitted to Clari under this policy will be used for defensive purposes – to mitigate or remediate vulnerabilities in our SaaS platform and of our vendors.

This is Clari’s initial effort to create a positive feedback loop with researchers – please be patient as we refine and update the process.

Please review, understand, and agree to the following terms and conditions before conducting any testing and before submitting a report. Let us know if you disagree or have any questions related to our responsible disclosure policy.

Thank you.

Scope

Clari Software as a Service platform including web, mobile and any other components of its infrastructure.

How to Submit a Report

Please provide a detailed summary of the vulnerability, including: type of issue; product, version, and configuration of software containing the bug; step-by-step instructions to reproduce the issue; proof-of-concept; impact of the issue; and suggested mitigation or remediation actions, as appropriate.

By submitting a report you are indicating that you have read, understood, and agreed to the guidelines described in this policy. Reports should be submitted via email to security@clari.com. If your report contains confidential information, please do not share via email. Our team will provide instruction on how to best share confidential data.

Guidelines

Clari Information Security team will deal in good faith with researchers who discover, test, and submit vulnerabilities or indicators of vulnerabilities in accordance with these guidelines:

  • Your activities are limited exclusively to –

    • (1) Testing to detect a vulnerability or identify an indicator related to a vulnerability; or

    • (2) Sharing with, or receiving from, DoD information about a vulnerability or an indicator related to a vulnerability.

  • You do no harm and do not exploit any vulnerability beyond the minimal amount of testing required to prove that a vulnerability exists or to identify an indicator related to a vulnerability.

  • You avoid intentionally accessing the content of any data except to the extent that the information is directly related to a vulnerability and the access is necessary to prove that the vulnerability exists.

  • You do not exfiltrate any data under any circumstances.

  • You do not intentionally compromise the privacy or safety of Clari personnel or third parties.

  • You do not intentionally compromise the intellectual property or other commercial or financial interests of any Clari personnel or entities, or any third parties.

  • You do not publicly disclose any details of the vulnerability, indicator of vulnerability, or the content of information rendered available by a vulnerability, except upon receiving explicit written authorization from Clari’s Information Security.

  • You do not conduct denial of service testing.

  • You do not conduct social engineering, including spear phishing.

  • You do not submit a high-volume of low-quality reports.

  • If at any point you are uncertain whether to continue testing, please engage with our team.

What You Can Expect From Us

We take every disclosure seriously and very much appreciate the efforts of security researchers. We will investigate every disclosure and strive to ensure that appropriate steps are taken to mitigate risk and remediate reported vulnerabilities.

Clari is committed to coordinating with the researcher as openly and quickly as possible. This includes:

  • We will acknowledge receipt of your report as soon as possible. Clari’s Information Security team will investigate the report and may contact you for further information.

  • To the best of our ability, we will confirm the existence of the vulnerability to the researcher and keep the researcher informed, as appropriate, as remediation of the vulnerability is underway.

  • We want researchers to be recognized publicly for their contributions if that is the researcher’s desire. We will seek to allow researchers to be publicly recognized whenever possible. However, public disclosure of vulnerabilities will only be authorized at the express written consent of Clari.

You must comply with all applicable Federal, State, and local laws in connection with your security research activities or other participation in this vulnerability disclosure program.

Clari does not authorize, permit, or otherwise allow (expressly or impliedly) any person, including any individual, group of individuals, consortium, partnership, or any other business or legal entity to engage in any security research or vulnerability or threat disclosure activity that is inconsistent with this policy or the law. If you engage in any activities that are inconsistent with this policy or the law, you may be subject to criminal and/or civil liabilities.

If you conduct your security research and vulnerability disclosure activities in accordance with the restrictions and guidelines set forth in this policy, (1) Clari will not initiate or recommend any law enforcement or civil lawsuits related to such activities, and (2) in the event of any law enforcement or civil action brought by anyone other than Clari, we will take steps to make known that your activities were conducted pursuant to and in compliance with this policy.

Clari may modify the terms of this policy or terminate the policy at any time.