Vulnerability Disclosure Policy

Last updated: April 17, 2026

ClearWorks Foundry Inc. welcomes reports of security vulnerabilities affecting our website and services. This policy describes what is in scope, how to report, and what to expect from us.

Scope

In scope:

• *.clearworks.ca (including clearworks.ca, www.clearworks.ca, mta-sts.clearworks.ca)
• The contact-form API at 0hn7p6zp3c.execute-api.ca-central-1.amazonaws.com
• The published Lambda source code in our public repository
• DNS records, email authentication (SPF, DKIM, DMARC, MTA-STS, TLS-RPT)

Out of scope:

• Third-party services we depend on (AWS, SendGrid, hCaptcha, Google Workspace, report-uri.com, CIRA) — please report directly to the vendor.
• Social engineering of ClearWorks staff.
• Physical attacks.
• Denial-of-service (volumetric or application-layer) without a novel vector.
• Missing security headers that do not lead to a specific, demonstrable vulnerability.
• Reports from automated scanners without a proof of concept.
• Best-practice recommendations without an exploitable finding.

How to report

Send reports to security@clearworks.ca. Please include:

1. A description of the vulnerability and its impact.
2. Clear reproduction steps, including any proof-of-concept code, payloads, or HTTP requests.
3. The affected URL or component.
4. Your preferred name or handle for credit (or let us know you prefer anonymity).

What to expect from us

• Acknowledgement within 5 business days.
• Initial assessment — triage and severity classification — within 10 business days.
• Status updates at least every 14 days while we work on a fix.
• Resolution notification when the issue is fixed.
• Credit if you wish to be named.

Safe harbour

We consider good-faith security research conducted under this policy to be authorized. We will not pursue legal action, or support law-enforcement investigation, against researchers who:

• Follow this policy.
• Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability.
• Do not degrade service for other users.
• Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it.
• Do not extort, demand payment, or threaten disclosure.

If you discover personal data during your research, stop immediately and include the details in your report. Do not retain it.

Coordinated disclosure

We ask that you give us a reasonable window to fix reported vulnerabilities before publishing details. Our default is 90 days from acknowledgement, extensible by mutual agreement for complex issues. If a fix ships sooner, you are welcome to publish immediately.

Bounty

ClearWorks does not currently offer a monetary bug bounty. We offer our gratitude, credit if you wish to be named, and direct communication with an engineer who actually fixes the thing.

Policy changes

This policy may change over time. This page is authoritative. The current version is referenced by our security.txt.

Contact

Questions about this policy or a disclosure in progress? Email security@clearworks.ca.