Security Policy

Climakers applies security controls during design, implementation, review, release, and maintenance, including consideration of permissions, behavior, dependency choices, and release integrity.

Climakers keeps software updated and prefers simpler, reviewable implementations where they reduce attack surface, complexity, or supply-chain risk.

Climakers follows least-privilege principles and aims to request or require only the access necessary for the documented product workflow. Access decisions are meant to stay narrow, explicit, and operationally understandable.

Climakers also applies a minimal third-party library approach where practical, with a build-your-own bias for core logic when that choice improves reviewability or lowers dependency exposure.

Customers remain responsible for managing tokens, environment variables, workstation and host security, storage controls, access controls, backups, and the broader security and compliance posture of their own environment.

When requesting support, customers should provide redacted diagnostics and avoid transmitting secrets, regulated content, or unnecessary private information unless disclosure is strictly necessary and approved internally.

Climakers aims to support teams operating under structured frameworks such as ISO 9001, ISO 27001, ISO 27017, NIS 2, SOC 2, GMP, and similar requirements, but customers remain responsible for their own assessments, evidence, controls, and attestations.

Climakers itself is not currently certified under SOC 2, ISO 27001, ISO 27017, or other equivalent third-party attestations. References to these frameworks describe the design intent of Climakers products and are not a representation that Climakers holds a certification or independent audit report under any of them.

Climakers welcomes responsible reporting of security issues. Suspected vulnerabilities should be reported privately to support@climakers.com with sufficient detail to reproduce the issue safely, including the affected product version, environment, and a clear description of the impact. Climakers will acknowledge a good-faith report within a reasonable triage window, will keep the reporter informed of progress, and will work to publish or distribute fixes without unnecessary delay. Climakers does not currently operate a paid bug bounty program.

Researchers acting in good faith under this policy — making reasonable efforts to avoid privacy violations, service disruption, and data destruction; testing only systems within the scope of Climakers-operated infrastructure and Climakers products; and giving Climakers a reasonable opportunity to investigate before public disclosure — will not face legal action from Climakers for that activity. This safe harbor is limited to Climakers-operated systems, does not bind third parties, and does not extend to activities prohibited by applicable law.

The public Climakers site is served over HTTPS with TLS, redirects HTTP traffic to HTTPS, and is configured with HTTP Strict Transport Security so that compliant browsers refuse insecure connections. Standard security-relevant HTTP response headers are applied where supported by the platform. The site is hosted on a managed platform that provides isolated build environments and operational controls for the runtime.

Customer documentation content is never required to flow through the public site. The site operates as a thin marketing and licensing front end; payment and license issuance are handled by the merchant of record under that provider's own security program.

Climakers product releases are produced from controlled build pipelines that pin third-party dependencies, record their versions, and are intended to keep the release artifact stream auditable. Release artifacts are distributed through documented channels referenced in the product documentation. Customers should obtain Climakers tools only from those documented channels.

Climakers reviews dependency advisories and security disclosures for the third-party components listed in the product license-terms documents and aims to publish updates that address known issues in a timely and proportionate manner. Customers should keep installed Climakers tools updated to receive security fixes.