Responsible Disclosure

Help keep Certus secure.

We accept responsible vulnerability reports from customers and researchers. The process is direct: report, validate, remediate, and close with a clear record.

Step 1

Report

Send suspected vulnerabilities through the configured disclosure channel. Include reproduction steps, impact, and any proof-of-concept that helps us validate quickly.

Step 2

Triage

We acknowledge, assign a tracking reference, and validate the issue without exposing tenant-sensitive information during review.

Step 3

Remediate

Fixes are prioritised by severity. After rollout, we coordinate disclosure timing and optional researcher credit.

In Scope

Certus web application at getcertus.cloud
Public API and webhook endpoints operated by Certus
CLI-to-dashboard sync paths and evidence ingestion endpoints

Out of Scope

Denial-of-service or traffic flooding tests
Social engineering or phishing against staff or customers
Automated scanning against production without coordination

Contact

Use your configured security disclosure channel for initial reports. Include target route, expected impact, and proof. We do not ask researchers to use a separate external monitor or marketing form for disclosure.