Back to sign inLast reviewed: 30/05/2026

Security Vulnerability Disclosure Policy

Clearboard takes the security of teacher and student data seriously. If you discover a security vulnerability in our systems, we encourage responsible disclosure using the process below.

Reporting a vulnerability

Email info@clearboard.com.au with the subject line: Security: [brief description].

Include in your report:

  • Step-by-step instructions to reproduce the issue
  • The affected URL or API endpoint
  • Your browser and operating system (if relevant)
  • An assessment of the potential impact, including what data or functionality could be affected

Please do not:

  • Run automated scanners or crawlers against our systems without prior written permission
  • Conduct denial-of-service testing of any kind
  • Exfiltrate real student or teacher data, even as proof of concept
  • Access or modify accounts that do not belong to you

If you are unsure whether a finding is in scope, send a brief email first and we will let you know before you proceed.

Our commitment

We treat good-faith security researchers as partners, not adversaries. In return for following these guidelines, we commit to:

  • Acknowledging your report within 5 business days by email
  • Providing a status update at least every 7 days until the issue is resolved or determined to be out of scope
  • Crediting you by name or handle in the "Recognised researchers" section below, if you would like public credit
  • Not pursuing legal action against researchers who act in good faith and stay within the scope defined here

We ask for reasonable confidentiality: please do not disclose the vulnerability publicly until we have had the opportunity to investigate and remediate.

Scope

In scope:

  • clearboard.com.au and all subdomains (*.clearboard.com.au)
  • Authenticated API endpoints behind /api
  • Authentication and session management flows

Out of scope:

  • Supabase infrastructure (supabase.com) - report via supabase.com/security
  • Vercel platform infrastructure - report via vercel.com/security
  • Google Cloud and Vertex AI - report via bughunters.google.com
  • Third-party OAuth and authentication providers - those services maintain their own responsible disclosure programmes

Findings in out-of-scope services should be reported directly to those vendors.

Recognised researchers

This section will list researchers who have responsibly disclosed vulnerabilities in Clearboard systems, once the programme has been active. We are grateful to everyone who takes the time to help keep teacher and student data safe.

No disclosures have been received yet.