Vulnerability Disclosure Policies

(Inbound & Outbound)

1. Purpose

This Policy establishes CleanStart's process for the responsible disclosure, receipt, and handling of security vulnerabilities, whether reported by external parties (Inbound) or disclosed by CleanStart to customers and the public (Outbound). The aim is to promote transparency, minimize security risks, and align with CleanStart's Service Level Agreements on vulnerability management.

2. Inbound Vulnerability Disclosure (External Reports)

• Reporting Channels: Security researchers, customers, and third parties may submit vulnerability reports via the official CleanStart security portal (security@cleanstart.com) or via the CleanStart Vulnerability Disclosure Program page.
• Safe Harbor: CleanStart will not pursue legal action against good-faith researchers who follow this Policy and do not exploit vulnerabilities beyond what is necessary to demonstrate proof-of-concept.
• Required Information: Description of the issue, including affected product/version Steps to reproduce Potential impact assessment (if known)
• Acknowledgement: CleanStart will acknowledge valid reports within 48 hours and provide regular updates until resolution.
• Triage & SLA Alignment: Reported vulnerabilities will be assessed under the CVSS-based severity model and addressed in accordance with remediation timelines set forth in the SLA.
• Researcher Credit: With consent, CleanStart may credit the reporter in release notes or advisories.

3. Outbound Vulnerability Disclosure (CleanStart to Customers / Public)

• Notification Commitment: CleanStart will notify affected customers of Critical and High vulnerabilities within 24 hours of validation and provide remediation guidance.
• Communication Channels: Direct customer notifications via registered security contacts; public advisories posted on the CleanStart security dashboard and mailing list.
• Content of Notifications: Nature of vulnerability and CVSS score Affected products/versions Workarounds or mitigation steps Timeline for patch availability
• Major Vulnerability Events: In cases where vulnerabilities affect a significant portion of CleanStart images, notification and remediation steps will follow the SLA-defined escalation protocol.

4. Exclusions

• Reports concerning vulnerabilities in customer code, third-party software not maintained by CleanStart, or integrations outside CleanStart's control.
• Submissions lacking sufficient detail to reproduce.

5. Continuous Improvement

This Policy will be reviewed annually to incorporate feedback from customers, researchers, and regulatory changes.