Security Policy / Vulnerability Disclosure

YFM LLC (“we”) welcomes vulnerability reports from external security researchers to help keep Clipes safe for all users. This page defines the reporting channel and response process for discovered vulnerabilities.

1. Contact

Vulnerability Report Emailyamaguchi@dant-kiwameru.jp
LanguagesJapanese / English
Response HoursWeekdays 9:00–18:00 JST (for urgent matters, please discuss separately)
PGP Public KeyNot published at this time.

※ The above email address is currently used as the security contact. We plan to open security@clipes.io in the future.

2. Response Process

  1. Acknowledgement: We will reply to confirm receipt of your report within 2 business days.
  2. Initial Investigation: We will review the report and identify reproduction steps and impact scope.
  3. Remediation: We will prioritize fixes based on risk level, addressing the most impactful issues first.
  4. Notification: After remediation is complete, we will notify the reporter. Where necessary, affected users will also be notified.

3. Information to Include in Your Report

  • Overview of the vulnerability and estimated impact
  • Steps to reproduce (relevant URL, input values, required permissions, etc.)
  • Tools and environment used (browser, OS, etc.)
  • Contact information (email address for our reply)

4. Prohibited Activities

Please refrain from the following when conducting research. We are not liable for any damages caused by these activities.

  • Excessive load testing, DoS/DDoS attacks against the production environment
  • Accessing, modifying, or destroying other users' data
  • Social engineering (deceptive contact with our staff)
  • Disclosing vulnerabilities to third parties before mutual confirmation of remediation

5. security.txt

A security.txt compliant with RFC 9116 is published at the following URL:

https://clipes.io/.well-known/security.txt