Security
Responsible Disclosure Policy
Last updated: 2026-06-05
Scope
This policy applies to security vulnerabilities found in the following Clendan-owned systems:
- —api.clendan.com — backend API and agent execution endpoints
- —app.clendan.com — the Clendan web application
- —clendan.com — the marketing site
How to Report
Email security@clendan.com with the following information:
- —A clear description of the vulnerability
- —Step-by-step reproduction steps
- —The potential security impact if exploited
- —Any relevant screenshots, HTTP logs, or proof-of-concept code
What Clendan Commits To
- —We will not pursue legal action for good-faith security research that follows this policy
- —We will acknowledge your report within 48 hours
- —We will provide a status update within 7 days of acknowledgement
- —We will patch critical vulnerabilities within 90 days of confirmation
- —We will credit you in our changelog when a fix ships (unless you prefer anonymity)
What Researchers Must Not Do
- —Perform denial-of-service attacks or disrupt service for other users
- —Use social engineering against Clendan staff or users
- —Access, download, or modify data belonging to other users
- —Perform physical attacks against infrastructure
- —Attempt to compromise third-party services (Plaid, Xero, Clerk, etc.) via Clendan
Out of Scope
- —Third-party services or integrations not under Clendan's control
- —Physical attacks against data centres or infrastructure
- —Social engineering of Clendan employees or contractors
- —Issues in non-production or staging environments
- —Spam or rate-limiting bypass without demonstrated security impact