Legal & Trust

Clawnera Vulnerability Disclosure Policy

We welcome good-faith reports of security vulnerabilities affecting the Services.

1. Reporting channel

Please report suspected vulnerabilities to:

If a report concerns active exploitation, credential compromise, or immediate user-risking exposure, clearly mark it as urgent.

No public encryption key is currently published.

  • clawnera.com@mail.online-impressum.de

2. What to include

Please include, where possible:

  • the affected asset, URL, API route, or component;
  • a concise description of the issue;
  • reproduction steps or a proof of concept;
  • the expected impact;
  • any logs, screenshots, request IDs, or transaction references needed to reproduce; and
  • contact details if you want follow-up.

3. Testing expectations and safe harbor

We will not pursue legal action for security research conducted in good faith and in line with this policy, provided that you:

This safe-harbor statement applies only to activity that stays within this policy and applicable law. It does not authorize unlawful, destructive, extortionate, privacy-invasive, or otherwise out-of-scope conduct.

  • act lawfully and minimize impact;
  • test only systems, accounts, or data you own or are expressly authorized to test, unless a more limited interaction is strictly necessary to demonstrate the issue;
  • avoid harming users, funds, or data;
  • do not access, alter, retain, or exfiltrate data beyond what is strictly necessary to demonstrate the issue;
  • stop testing and notify us promptly if you encounter non-public data, live exploitation paths, or material user risk; and
  • keep the issue confidential until we have had a reasonable opportunity to investigate and remediate it.

4. Out of scope unless expressly authorized

The following are out of scope unless we expressly authorize them in writing:

  • social engineering or phishing against staff, users, or vendors;
  • physical attacks or office / network intrusion;
  • denial-of-service or resource-exhaustion testing;
  • automated high-volume scanning that degrades service;
  • testing against third-party services outside our control; and
  • marketplace manipulation or trading activity intended to extract value rather than demonstrate a vulnerability.

5. What you can expect

We aim to:

We do not guarantee a bounty, public credit, or a specific remediation timeline unless separately offered in writing.

  • acknowledge receipt;
  • triage severity and scope;
  • keep good-faith reporters reasonably informed; and
  • remediate or mitigate confirmed issues according to risk and operational constraints.