Skip to content
CliffSecurity
Talk to us
Responsible disclosure

We welcome coordinated disclosure.

If you find a security issue in our website, platform or operations that could be exploited, we want to know. Here is how to tell us — and what you can expect from us in return.

How to report

Email security@cliffsecurity.co.zw with a clear description of the issue, steps to reproduce, and any supporting evidence. If you have PGP, we accept encrypted reports — key on request.

What we promise

  • Acknowledge your report within one working day.
  • Assign a triage lead and communicate a rough timeline within five working days.
  • Keep you updated through remediation.
  • Credit you publicly (if you want credit) once the issue is resolved and public disclosure is agreed.
  • Not pursue legal action against researchers acting in good faith under this policy.

What we ask

  • Give us reasonable time to fix the issue before public disclosure.
  • Do not access, modify or delete data that isn't yours.
  • Do not perform DDoS, physical-security, or social-engineering tests.
  • Test only against scoped systems (our public website, our documented API endpoints). Our clients' deployments are out of scope.

Scope

  • In scope: cliffsecurity.co.zw and documented Guard Track API endpoints.
  • Out of scope: third-party services (social media, payment processors), client-specific deployments, physical-security testing, social engineering of staff.

Rewards

We do not currently operate a monetary bug-bounty program. We do publish a disclosure wall recognising researchers who've reported high-quality issues.