Responsible Disclosure
Canium builds security-critical infrastructure, and we welcome the work of security researchers who help us keep it sound. This policy explains how to report a vulnerability, what is in and out of scope, the rules we ask you to follow, and what you can expect from us in return.
Our Commitment — Safe Harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized. We will not initiate or support legal action against you, and where a third party brings action against you for activity conducted in accordance with this policy, we will make it known that your actions were authorized.
We consider security research conducted consistent with this policy to be authorized access under the Criminal Code of Canada and applicable computer-misuse law. If at any point you are unsure whether a specific action is consistent with this policy, contact us at security@canium.ca before proceeding.
This safe-harbour commitment does not bind third parties that are not Canium, and it does not authorize activity that is unlawful independent of this policy.
Scope
The following assets, operated by Canium, are in scope:
canium.caand its subdomains- The Canium web, desktop, and mobile client applications
- Public APIs and backend infrastructure operated by Canium
- Our cryptographic implementation — MLS (RFC 9420 / OpenMLS), OPAQUE (RFC 9807), and the hybrid post-quantum KEM substrate (X25519 + ML-KEM-768)
The following are out of scope:
- Services, systems, or data operated by third parties rather than Canium
- Denial-of-service, volumetric, or resource-exhaustion testing of any kind
- Social engineering of Canium staff, contractors, or users; physical attacks; and attacks requiring physical access to a device
- Spam, phishing, or content-injection that depends on a user acting against an explicit warning
- Automated scanner output, or reports of missing hardening or best-practice headers, without a demonstrated, exploitable impact
- Findings that require a compromised or rooted endpoint, which is the user's own responsibility
Rules of Engagement
- Test only against accounts you own or test accounts you have explicitly created for this purpose.
- Do not access, modify, delete, or store data that is not yours. Stop as soon as you have a working proof of concept.
- Canium is end-to-end encrypted and server-blind by design. Do not attempt to access, decrypt, or exfiltrate the message content, keys, or credentials of any other user. If you incidentally encounter another party's data, stop immediately, do not retain or disclose it, and tell us in your report.
- Do not degrade, disrupt, or interrupt the service for other users.
- Give us a reasonable opportunity to remediate before disclosing a vulnerability publicly, and coordinate the timing with us.
- Comply with all applicable Canadian law throughout your research.
How to Report
Send your report to security@canium.ca. Our machine-readable contact details are published at /.well-known/security.txt.
A useful report includes:
- A clear description of the vulnerability and the affected component or URL
- Step-by-step instructions to reproduce it, with any proof-of-concept code or payloads
- Your assessment of the impact and, if known, the conditions required to exploit it
- How we can reach you for follow-up
We accept reports in English and French.
What to Expect From Us
We prioritize issues by their impact on Canium's core guarantees — anything that could compromise the confidentiality of message content, key material, or user authentication is treated as the highest priority.
| Stage | Our target |
|---|---|
| Acknowledgement of your report | Within 3 business days |
| Initial triage and severity assessment | Within 10 business days |
Recognition
Canium does not currently operate a paid bug-bounty program. With your permission, we are glad to credit you in our security acknowledgements once a reported issue is resolved. If you would prefer to remain anonymous, let us know and we will respect that.