Security & disclosure
Found a security issue? Here is how to tell us, safely — and what we’ll do about it.
Last updated: 2026
We take the security of the things we build and run seriously, and we welcome reports from researchers who help us keep them safe. This page explains how to report an issue and what to expect.
What this covers
This policy covers the Scriptus website and the products and infrastructure we operate. If you have found a genuine security weakness in something we run, we want to hear about it.
If the issue is in a client’s product we built but do not operate, send it to us anyway — we will pass it to the right people and keep you in the loop where we can.
How we will treat your report
If you report a security issue in good faith, here is what you can expect from us:
- We will acknowledge your report promptly and keep you updated as we investigate.
- We will work to fix confirmed issues quickly, and we are glad to credit you once it is resolved (if you would like).
- We will not pursue legal action against you for good-faith research that follows the guidelines below.
Good-faith research means: you stayed within the guidelines below, did not access or modify data that is not yours, did not degrade the service, and gave us a reasonable chance to fix the issue before sharing it.
Please keep it safe
So that everyone stays protected while you investigate, please:
- Don’t access, change, or delete data that isn’t yours — use test accounts and your own data.
- Don’t run attacks that degrade the service, such as denial-of-service, spam, or high-volume automated scanning.
- Don’t use social engineering, phishing, or physical attacks against our people or offices.
- Give us a reasonable amount of time to fix an issue before disclosing it publicly.
What we usually won’t action
Some reports describe theoretical weaknesses with no real-world impact. To set expectations, the following generally fall outside this policy unless you can show a concrete, exploitable risk:
- Missing security headers or best-practice suggestions with no demonstrated impact.
- Reports generated solely by an automated scanner, without a working proof of concept.
- “Self-XSS” that requires a victim to paste something into their own browser.
- Issues that require a fully compromised device, a rooted phone, or a physically present attacker.
Report a vulnerability
Email security@scriptus.ca with what you found, where you found it, and the steps to reproduce it (a short proof of concept helps a lot). We will confirm we’ve received it and take it from there.