Vulnerability Disclosure
Policy

ClosedLoop AI is committed to maintaining the security of our systems and protecting customer data. We welcome reports of potential security vulnerabilities from the community and will work with security researchers to investigate and remediate valid issues in a responsible manner.

This Vulnerability Disclosure Policy outlines how security researchers and other individuals can report security vulnerabilities to ClosedLoop AI, and what they can expect from us in return.

This policy applies to the following ClosedLoop AI-managed assets:

• *.closedloop.sh - All subdomains and services under the closedloop.sh domain
• ClosedLoop AI web applications and APIs - Including our main platform, API endpoints, and related web services
• Backend services operated by ClosedLoop AI - Infrastructure and services directly managed by ClosedLoop AI

Out of Scope: Third-party services, integrations, or infrastructure not directly operated by ClosedLoop AI are out of scope for this policy. This includes but is not limited to:

• Third-party integration platforms (e.g., Gong, HubSpot, Salesforce)
• Cloud infrastructure providers (e.g., Microsoft Azure, unless the vulnerability is specific to ClosedLoop AI's configuration)
• Third-party libraries and dependencies (unless the vulnerability is specific to our implementation)

If you believe you have discovered a security vulnerability, please report it to us as soon as possible.

Email: [email protected]

Subject: "Security Vulnerability Report"

Please include the following information in your report:

• A description of the issue - What is the vulnerability and how does it work?
• Steps to reproduce - Detailed steps that allow us to reproduce the issue (if applicable)
• Potential impact - What could an attacker do with this vulnerability?
• Any relevant screenshots, logs, or proof-of-concept code - Evidence that helps us understand and validate the issue
• Your contact information - So we can follow up with you about the report

We prefer reports in English, but will do our best to work with reports in other languages.

We ask that you:

• Act in good faith - Do not engage in activities that could harm ClosedLoop AI, our customers, or our users
• Avoid privacy violations, data destruction, or service disruption - Do not access, modify, or delete data that does not belong to you, and do not disrupt our services
• Do not exploit the vulnerability beyond what is necessary to demonstrate it - Only perform testing necessary to validate the vulnerability
• Do not publicly disclose the issue until we have had reasonable time to address it - We request at least 90 days to investigate and remediate the issue before public disclosure
• Make a good faith effort to avoid accessing sensitive data - If you encounter sensitive data during your research, cease testing and report the issue immediately
• Do not use social engineering, phishing, or physical attacks - These are out of scope for this policy

ClosedLoop AI will not initiate legal action against individuals who:

• Discover and report vulnerabilities responsibly - Following the guidelines outlined in this policy
• Follow the guidelines outlined in this policy - Acting in good faith and within the scope of this policy
• Do not exploit vulnerabilities for malicious purposes - Do not use vulnerabilities to harm ClosedLoop AI, our customers, or our users
• Do not access or modify data beyond what is necessary to validate the issue - Only access data necessary to demonstrate the vulnerability

This safe harbor applies only to activities conducted in compliance with this policy. If you engage in activities that violate this policy, we reserve the right to take appropriate legal action.

Legal Protections: We will consider activities conducted consistent with this policy to constitute "authorized" conduct under the Computer Fraud and Abuse Act (CFAA) and similar laws. We will not bring a claim against you for circumventing the technological measures we have used to protect the applications in scope.

Upon receiving a vulnerability report, ClosedLoop AI commits to:

• Acknowledge receipt within a reasonable timeframe - We will acknowledge receipt of your report within five (5) business days
• Investigate and validate the report - We will investigate the reported vulnerability and validate its existence and severity
• Prioritize remediation based on severity and impact - We will prioritize remediation efforts based on the severity of the vulnerability and its potential impact on our customers and users
• Communicate progress when appropriate - We will provide updates on our progress in addressing the vulnerability when appropriate, while respecting the need for confidentiality during the remediation process
• Publicly acknowledge your contribution - With your permission, we will publicly acknowledge your contribution to improving our security after the vulnerability has been remediated

Response Timeline: We aim to provide an initial response to all vulnerability reports within five (5) business days. For valid vulnerabilities, we will provide regular updates on our progress and expected timeline for remediation. The timeline for remediation will depend on the severity and complexity of the issue.

We classify vulnerabilities based on their potential impact and likelihood of exploitation:

• Critical: Vulnerabilities that could lead to unauthorized access to customer data, system compromise, or widespread service disruption. Target remediation: 7 days
• High: Vulnerabilities that could lead to unauthorized access to sensitive information or significant service disruption. Target remediation: 30 days
• Medium: Vulnerabilities that could lead to limited unauthorized access or minor service disruption. Target remediation: 90 days
• Low: Vulnerabilities with minimal impact or that require significant user interaction to exploit. Target remediation: 180 days

These are target timelines and actual remediation may vary based on the complexity of the issue and other factors. We will communicate expected timelines for specific vulnerabilities as part of our response.

ClosedLoop AI does not currently operate a bug bounty program and does not offer monetary rewards for vulnerability reports.

However, we deeply appreciate the efforts of security researchers who help us improve our security posture. We will publicly acknowledge your contribution (with your permission) and may provide other forms of recognition for significant findings.

We may consider establishing a bug bounty program in the future as our security program matures.

The following issues are generally considered out of scope for this policy:

• Denial of Service (DoS) attacks
• Social engineering attacks (including phishing)
• Physical attacks against ClosedLoop AI facilities or personnel
• Vulnerabilities in third-party services or applications not operated by ClosedLoop AI
• Vulnerabilities that require physical access to a user's device
• Issues that require unlikely user interaction
• Missing security best practices without a demonstrated security impact
• Vulnerabilities in outdated or unsupported browsers
• Content injection issues without a demonstrated security impact
• Cross-Site Request Forgery (CSRF) on forms that are not security-sensitive
• Missing HTTP security headers without a demonstrated security impact
• Clickjacking on pages with no sensitive actions

If you are unsure whether a vulnerability is in scope, please contact us at [email protected] before conducting any testing.

This policy may be updated from time to time to reflect changes in our security practices or legal requirements. The latest version will always be available on our website at https://closedloop.sh/vulnerability-disclosure.

Material changes to this policy will be communicated through our website and, where appropriate, via email to security researchers who have previously reported vulnerabilities to us.

For questions about this policy or to report a security vulnerability, please contact us at:

Email: [email protected]

For general support inquiries, please contact [email protected].