Security

Security & Bug Bounty Program

Our responsible disclosure policy explains how security researchers can help protect ClickToAutomate customers, what is in scope, and how we respond to every valid report.

01

Vulnerability Disclosure Program

ClickToAutomate is committed to protecting the businesses that rely on our AI Business OS. We know that security is not a one-time checklist — it is an ongoing partnership between our engineering team and the wider security community.

Our Vulnerability Disclosure Program gives security researchers a clear, safe path to report issues they discover in our in-scope systems. If you find something that could put customer data, authentication flows, or platform availability at risk, we want to hear from you before it is exploited in the wild.

We review every good-faith report with urgency, keep you informed as we investigate, and work to remediate validated issues as quickly as possible. Responsible disclosure makes the platform safer for every customer running an AI Employee, CRM pipeline, or integration workflow on ClickToAutomate.

02

In-scope Assets

Reports are accepted for vulnerabilities found in the production and staging surfaces that directly power the ClickToAutomate platform. This includes preview.clicktoautomate.in, which hosts our preview and staging environment, and all subdomains under *.ctastore.in that belong to the CTA Store platform.

Customer-facing authenticated surfaces are also in scope, including dashboard.clicktoautomate.in for account and workspace management, api.clicktoautomate.in for platform APIs and webhooks, and auth.clicktoautomate.in for authentication and authorization flows.

If you are unsure whether a host or endpoint is in scope, email security@clicktoautomate.in before testing. We would rather confirm scope upfront than have you spend time on assets we cannot action.

03

How to Report Vulnerabilities

Send vulnerability reports to security@clicktoautomate.in. A strong report helps us reproduce and fix the issue faster, so please include a clear description of the vulnerability, step-by-step reproduction instructions, and the timeline or conditions required to trigger it.

If you have a proof-of-concept, exploit code, screenshots, or a short screen recording, include those as well. Tell us what you believe the impact could be — for example, unauthorized access, data exposure, privilege escalation, or service disruption — and share the severity you think is appropriate.

Please include your preferred contact details and, if you use one, your PGP key. We aim to acknowledge every report within 48 hours and will provide status updates until the issue is resolved or declined with a clear explanation.

04

Severity Classification

We classify findings using a practical severity model so engineering and leadership can prioritize remediation correctly. Critical issues include complete system compromise, widespread data breach, or authentication bypass that exposes customer accounts or administrative controls.

High-severity findings cover significant flaws that could lead to data loss, account takeover, or meaningful abuse of platform functionality under realistic conditions. Medium-severity issues are still important, but typically require specific prerequisites, limited blast radius, or chained exploitation before they become dangerous.

Low-severity reports cover minor weaknesses with minimal security impact, such as informational leaks that do not expose sensitive data on their own. Severity influences response time, fix priority, and whether the report qualifies for public recognition on our Hall of Fame page.

05

Out of Scope

Some findings fall outside what we can accept through this program. We generally do not accept reports for TLS or SSL configuration observations without a demonstrated exploit, vulnerabilities that depend on a compromised user account supplied by the reporter, or denial-of-service and distributed denial-of-service attacks against any ClickToAutomate property.

We also exclude cosmetic UI bugs, spelling mistakes, login or logout CSRF issues without practical impact, missing security headers without a linked exploit, open redirects or clickjacking scenarios that cannot be used to compromise users, and exposed metrics or logs that do not contain sensitive information.

Reports that require an active man-in-the-middle position, or that target domains and services outside the in-scope list above, cannot be processed through this program. When in doubt, ask before you test.

06

Our Response Process

Every valid report moves through a structured response workflow. First, we confirm receipt and validate that the submission is in scope and reproducible. Our security team then investigates the issue, reproduces it in a controlled environment, and assesses customer impact.

Once validated, engineering develops and tests a fix, then deploys it through our normal release process with additional monitoring where needed. After remediation, we notify the reporter and discuss coordinated disclosure timing if the finding was significant.

Timelines vary by severity, but our goal is to resolve qualifying issues within 90 days. Critical vulnerabilities are escalated immediately and may receive an emergency patch outside the standard release cadence.

07

Hall of Fame & Recognition

Researchers who submit qualifying, responsibly disclosed vulnerabilities may be recognized on our public Hall of Fame page. Recognition can include the name or handle you prefer, your organization or independent affiliation, a brief description of the vulnerability class, and the date of responsible disclosure.

We do not publish exploit details that would help attackers, and we will never share your contact information without permission. In addition to public recognition, qualifying reporters may receive complimentary premium access to ClickToAutomate and may be featured in our security communications when appropriate.

If you prefer to remain anonymous, we will honor that request while still tracking the contribution internally.

Last updated: July 8, 2026

We may update this policy from time to time. Your continued use of our platform after updates constitutes your acceptance of the changes.

Ready to Report?

Found a security issue? Email our security team with a clear description, reproduction steps, and impact assessment. We respond to every good-faith report.