We take the security of our systems seriously, and we value the security community. The disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Please do not report security vulnerabilities through public GitHub issues.

If you believe you’ve found a security vulnerability in one of our products or platforms, please send it to us by emailing security@clerk.dev. Please include the following details with your report:

1. Description of the location and potential impact of the vulnerability; and

2. A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us).

We will evaluate the vulnerability and, if necessary, release a fix or mitigating steps to address it. We will contact you to let you know the outcome, and will credit you in the report.

Please do not disclose the vulnerability publicly until a fix is released.

Once we have either a) published a fix, or b) declined to address the vulnerability for whatever reason, you are free to publicly disclose it.