ClearEvent Vulnerability Disclosure Policy Last Updated: 2025-12-15 1. Introduction ClearEvent is committed to maintaining the security and privacy of our platform, services, and customer data. We welcome responsible security research and appreciate contributions that help us improve our defenses. If you identify a potential security issue, please report it to us directly so we can investigate and remediate it promptly. 2. How to Report a Vulnerability Please submit vulnerability reports using our secure reporting form: https://clearevent.com/report-vulnerability/ or submit to vulnerabilities@clearevent.com When reporting an issue, please include: - Description of the suspected vulnerability - Steps to reproduce the issue - Affected URL or system component - Potential impact or risk - Screenshots, proof-of-concept, or example code if available - Your contact details for follow-up For encrypted submissions, our PGP public key is available at: https://clearevent.com/pgp.txt 3. Scope Researchers may test the following areas, provided testing is non-disruptive and conducted in good faith: - Public, non-transactional ClearEvent web pages - Authentication, login, logout, and session management flows - Access control and role-based permission boundaries - Public API endpoints that do not modify data or trigger customer workflows - The main marketing site at clearevent.com - Any sandbox or demo environments explicitly designated by ClearEvent for security testing Testing must not impact the availability, performance, data integrity, or operation of ClearEvent’s production services. Please keep testing non-disruptive and targeted. 4. Out of Scope To protect our customers, their attendees, and their live events, the following activities are strictly prohibited: Interactions with Live Customer Events - Creating test registrations, ticket purchases, RSVPs, bookings, or orders - Redeeming, generating, or modifying tickets, promo codes, or access codes - Scanning or interacting with attendee QR codes used for check-in - Triggering customer-facing workflows such as confirmation emails, notifications, or attendee messaging Financial or E-commerce Interactions - Submitting or simulating payments, refunds, transfers, charges, or chargebacks - Modifying or bypassing pricing, tax rules, discount logic, or service fees - Interacting directly with Stripe payment processor endpoints Customer or Attendee Data Access - Accessing, modifying, or exporting customer or attendee data - Attempting to escalate privileges into customer, staff, or organizer accounts - Viewing or extracting private event configuration or restricted dashboard content Operational Interference - Stress testing, rate-limit probing, or performance testing - Automated scanning, fuzzing, or high-volume request generation - Interacting with live organizer dashboards, scheduling tools, device profiles, or admin panels - Performing actions that could affect live event operations or attendee experience Third-Party Integrations - Testing or manipulating systems such as Stripe, Intercom, Mailchimp, Azure services, or analytics providers - Attempting to access, alter, or replay API keys, credentials, or webhooks Any activity that risks degrading service performance, impacting financial transactions, or exposing customer data is out of scope. 5. Safe Harbor for Good-Faith Security Research ClearEvent supports Safe Harbor protections for researchers who act in good faith. When conducting research under this policy: - ClearEvent will consider your actions authorized, and will not pursue legal action against you. - ClearEvent will not initiate or support civil or criminal legal action for accidental violations, provided testing is done in accordance with this policy and without harmful intent. - ClearEvent will work with you to understand and resolve any inadvertent impact caused during testing. - If legal action is initiated by a third party, ClearEvent will make it known that your actions were conducted in compliance with this policy. Safe Harbor applies only if you: - Follow the rules described in this policy - Avoid accessing, modifying, or destroying data - Do not disrupt ClearEvent’s services or live customer events - Do not publicly disclose vulnerabilities before ClearEvent resolves them Actions taken outside of this policy may be considered unauthorized. 6. Coordinated Vulnerability Disclosure ClearEvent follows Coordinated Vulnerability Disclosure (CVD) practices. This means: - We work collaboratively with researchers to validate, fix, and disclose confirmed vulnerabilities. - We aim to remediate issues promptly and safely. - We will notify the researcher once a fix is deployed and may publicly acknowledge their contribution. - Researchers must not disclose vulnerability details publicly until remediation is complete. 7. What to Expect From ClearEvent When you submit a valid report: - We will acknowledge receipt within a reasonable timeframe. - We will review the issue and may request additional information. - We will work to remediate confirmed issues promptly based on severity. - We will notify you when the issue has been resolved. - With your consent, we may recognize your contribution publicly. 8. Researcher Code of Conduct Researchers must: - Limit testing to what is necessary to confirm a vulnerability - Avoid accessing, modifying, or retaining customer or attendee data - Stop testing immediately if unintended access or system impact occurs - Not disrupt ClearEvent services or live customer events - Not share or publicly disclose the vulnerability until remediation is complete 9. Rewards and Disclaimer Recognition may be provided at our discretion. This policy does not create any enforceable rights or obligations. ClearEvent may offer monetary rewards for vulnerability reports at our discretion. 10. Policy Updates ClearEvent may update this policy at any time. The most current version will always be available at: https://clearevent.com/security-policy.txt Thank you for helping keep ClearEvent secure.