Last updated: April 11, 2026

Security Policy

Reporting a Vulnerability

If you discover a security vulnerability in ClearQuote, please email us at:

security@clearquoteapp.com

We will acknowledge receipt within 48 hours and provide an initial assessment within 7 days.

Please include as much detail as possible: description of the issue, steps to reproduce, potential impact, and any suggested remediation if you have one.

Scope

This policy covers the ClearQuote web application at clearquoteapp.com and its associated API endpoints.

Out of Scope

The following third-party services are not covered by this policy. Please report vulnerabilities in these services directly to their respective security teams:

• Supabase (supabase.com/security)
• Stripe (stripe.com/docs/security)
• Vercel (vercel.com/security)
• Resend (resend.com)
• Anthropic (anthropic.com/security)
• Upstash (upstash.com)

Disclosure Policy

We ask that you give us reasonable time to address the issue before public disclosure. We commit to keeping you informed of our progress. We will not pursue legal action against security researchers who act in good faith under this policy and disclose findings to us before public disclosure. We consider good-faith security research to be authorized and will not pursue legal claims under the Computer Fraud and Abuse Act (CFAA) or similar state laws for research conducted in compliance with this policy.

Bug Bounty

We do not currently offer a paid bug bounty program. We acknowledge responsible researchers' contributions publicly (with their permission) and are grateful for reports that help us improve our security.

Vulnerability Disclosure Timeline

We aim to release security fixes and advisories within 90 days of confirming a reported vulnerability. We will coordinate with the reporting researcher on disclosure timing when possible.

Internal Procedures

For internal incident response procedures, see our Data Processing Addendum.