Report Security Issues

If you believe you have identified a potential security vulnerability on clifton-hardware.com, we encourage responsible disclosure. We appreciate security researchers who help maintain the security, privacy, and reliability of our services.

As long as you comply with the guidelines below, clifton-hardware.com will not pursue legal action against individuals who report vulnerabilities in good faith.

Responsible Disclosure Guidelines

When reporting a security issue, please ensure that you:

  1. Allow reasonable time for investigation and remediation before publicly disclosing any details.

  2. Do not access, modify, or interact with private user accounts or personal data without explicit authorization.

  3. Avoid actions that could compromise user privacy, disrupt services, or affect system stability.

  4. Do not exploit vulnerabilities for personal gain or conduct testing beyond proof of concept.

  5. Follow all applicable laws, regulations, and third-party platform policies.

Vulnerability Reporting Program

We may recognize and reward valid vulnerability reports that help improve platform security. Any rewards or acknowledgements are entirely discretionary and depend on the severity, impact, and quality of the report.

This policy is intended to support transparency and does not constitute a contractual obligation, employment relationship, or guarantee of compensation.

Report Evaluation Criteria

To be eligible for review, reports must:

  1. Follow this disclosure policy.

  2. Identify a legitimate security or privacy risk affecting our website or services.

  3. Be submitted through our designated reporting channel. Please do not contact individual staff members.

  4. Clearly disclose any unintended access to data or systems encountered during testing.

  5. Acknowledge that response times may vary depending on report volume and severity.

  6. Accept that resolved issues may be publicly disclosed in anonymized form.

Severity Classification (Informational Only)

Severity levels are used internally for prioritization purposes and do not guarantee compensation.

Critical Impact

Examples include:

  • Remote code execution

  • Unauthorized administrative access

  • Financial or payment-related compromise

  • Full account takeover

High Impact

Examples include:

  • Authentication bypass

  • Cross-site scripting affecting other users

  • Exposure of sensitive system information

  • Session or cookie mismanagement

Medium Impact

Examples include:

  • Business logic flaws

  • Insecure object references affecting multiple users

Low Impact

Examples include:

  • Open redirects

  • Low-risk information disclosure

  • Issues requiring extensive user interaction

Important Notes

  • Reports must include sufficient technical detail to allow verification.

  • Duplicate reports may not be eligible for recognition.

  • Multiple findings caused by a single underlying issue may be treated as one report.

  • All decisions regarding prioritization, disclosure, and potential rewards are final.

Platform & Payment Compliance Notice

This policy is designed to align with:

  • Shopify platform policies

  • Google Merchant Center requirements

  • Stripe acceptable use and security standards

Nothing in this policy overrides user privacy rights, consumer protection laws, or payment provider regulations.