Last updated: April 23, 2026

Effective: April 23, 2026

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in ClearQuote, please email us at:

security@clearquoteapp.com

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.

Please include as much detail as possible: description of the issue, steps to reproduce, potential impact, and any suggested remediation if you have one.

Scope

This policy covers:

1. the ClearQuote web application at clearquoteapp.com and its associated API endpoints;
2. the ClearQuote autonomous feedback agent (the server-side process that monitors support@ and security@ inboxes, triages reports using AI, and generates code fixes via GitHub pull requests).

Out of Scope

The following third-party services are not covered by this policy. Please report vulnerabilities in these services directly to their respective security teams:

• Supabase (supabase.com/security)
• Stripe (stripe.com/docs/security)
• Vercel (vercel.com/security)
• Resend (resend.com)
• Anthropic (anthropic.com/security)
• Upstash (upstash.com)
• GitHub (github.com/security)

Disclosure Policy

We ask that you give us reasonable time to address the issue before public disclosure. We commit to keeping you informed of our progress. We will not pursue legal action against security researchers who act in good faith under this policy and disclose findings to us before public disclosure. We consider good-faith security research to be authorized and will not pursue legal claims under the Computer Fraud and Abuse Act (CFAA) or similar state laws for research conducted in compliance with this policy.

Bug Bounty

We do not currently offer a paid bug bounty program. We acknowledge responsible researchers' contributions publicly (with their permission) and are grateful for reports that help us improve our security.

Vulnerability Disclosure Timeline

We aim to release security fixes and advisories within 90 days of confirming a reported vulnerability. We will coordinate with the reporting researcher on disclosure timing when possible.

Internal Procedures

For internal incident response procedures, see our Data Processing Addendum.

Autonomous Agent Change Controls

ClearQuote operates an autonomous feedback agent that classifies inbound support emails and generates code fixes for qualifying bug reports. The following controls limit the scope and rate of autonomous changes:

1. Sensitive file blocklist. The agent is prevented from modifying authentication handlers, payment webhook handlers, database RLS migration files, and Supabase client libraries. This restriction is enforced both in the agent's instructions and by post-execution file inspection.
2. Verification gate. All autonomous code changes must pass TypeScript compilation (tsc --noEmit), linting (eslint), and a production build (npm run build) before being committed.
3. PR rate cap. Autonomous pull requests are limited to 3 per 24-hour period.

Agent Infrastructure

ClearQuote also operates a lightweight autonomous agent on a dedicated Mac Mini server. This agent polls official support and security email inboxes, runs AI triage, and generates code fixes. The agent runs as a user-level process (not root) and stores state locally. Credential security for the agent follows standard service-credential management practices.