Skip to content
01Security

Security & disclosure

Found a security issue? Here is how to tell us, safely — and what we’ll do about it.

Last updated: 2026

We take the security of the things we build and run seriously, and we welcome reports from researchers who help us keep them safe. This page explains how to report an issue and what to expect.

01Scope

What this covers

This policy covers the Scriptus website and the products and infrastructure we operate. If you have found a genuine security weakness in something we run, we want to hear about it.

If the issue is in a client’s product we built but do not operate, send it to us anyway — we will pass it to the right people and keep you in the loop where we can.

02Our commitment

How we will treat your report

If you report a security issue in good faith, here is what you can expect from us:

  • We will acknowledge your report promptly and keep you updated as we investigate.
  • We will work to fix confirmed issues quickly, and we are glad to credit you once it is resolved (if you would like).
  • We will not pursue legal action against you for good-faith research that follows the guidelines below.
Under the hood

Good-faith research means: you stayed within the guidelines below, did not access or modify data that is not yours, did not degrade the service, and gave us a reasonable chance to fix the issue before sharing it.

03Guidelines

Please keep it safe

So that everyone stays protected while you investigate, please:

  • Don’t access, change, or delete data that isn’t yours — use test accounts and your own data.
  • Don’t run attacks that degrade the service, such as denial-of-service, spam, or high-volume automated scanning.
  • Don’t use social engineering, phishing, or physical attacks against our people or offices.
  • Give us a reasonable amount of time to fix an issue before disclosing it publicly.
04Out of scope

What we usually won’t action

Some reports describe theoretical weaknesses with no real-world impact. To set expectations, the following generally fall outside this policy unless you can show a concrete, exploitable risk:

  • Missing security headers or best-practice suggestions with no demonstrated impact.
  • Reports generated solely by an automated scanner, without a working proof of concept.
  • “Self-XSS” that requires a victim to paste something into their own browser.
  • Issues that require a fully compromised device, a rooted phone, or a physically present attacker.
05Contact

Report a vulnerability

Email security@scriptus.ca with what you found, where you found it, and the steps to reproduce it (a short proof of concept helps a lot). We will confirm we’ve received it and take it from there.