Skip to content

Trust

Responsible disclosure

We appreciate researchers and customers who take the time to report security issues in ClaimCircuit. This page describes how to reach us, what helps us act quickly, and how we handle reports.

How to report

Email security@claimcircuit.com. Use a descriptive subject so we can triage quickly. Please do not file public GitHub issues, social posts, or support tickets for security reports.

If a vulnerability involves customer data, hold off on further testing once impact is established and let us coordinate.

What to include

  • A clear description of the issue and the impact you observed.
  • Steps to reproduce, including URLs, request payloads, accounts used, and timestamps where helpful.
  • Your environment (browser, OS) for client-side issues.
  • Any proof-of-concept code or screenshots, with sensitive customer data redacted.
  • A way to reach you for follow-up. PGP is not required; if you prefer encrypted mail, mention it in your first message.

How we handle reports

We aim to acknowledge new reports within a reasonable business window, investigate in good faith, and keep you informed as we triage and remediate. We do not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, or interruption of service.
  • Stop testing and notify us as soon as a vulnerability is confirmed.
  • Do not exploit the issue beyond what is needed to demonstrate it, and do not retain customer data.
  • Give us a reasonable opportunity to remediate before public disclosure.

This page describes our intent for good-faith handling and does not create any contractual or legal commitment beyond that.

Out of scope

  • Denial-of-service attacks, volumetric testing, and load testing against production.
  • Social engineering of employees, customers, or contractors; physical attacks; phishing.
  • Reports based solely on missing security headers, cookie flags, or automated scanner output without demonstrable impact.
  • Findings in third-party services we use, unless the issue is clearly caused by our integration.
  • Vulnerabilities requiring physical access, malware, or a compromised device of the victim.
  • Issues affecting only outdated browsers or unsupported platforms.

Rewards

ClaimCircuit does not currently operate a paid bug bounty program. We are grateful for responsible reports and will credit researchers on request once an issue is fixed.

Related

See Security for an overview of our access controls, data isolation, and AI governance, and the status page for operational state.