Responsible Disclosure

Canium builds security-critical infrastructure, and we welcome the work of security researchers who help us keep it sound. This policy explains how to report a vulnerability, what is in and out of scope, the rules we ask you to follow, and what you can expect from us in return.


Our Commitment — Safe Harbour

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized. We will not initiate or support legal action against you, and where a third party brings action against you for activity conducted in accordance with this policy, we will make it known that your actions were authorized.

We consider security research conducted consistent with this policy to be authorized access under the Criminal Code of Canada and applicable computer-misuse law. If at any point you are unsure whether a specific action is consistent with this policy, contact us at security@canium.ca before proceeding.

This safe-harbour commitment does not bind third parties that are not Canium, and it does not authorize activity that is unlawful independent of this policy.

Scope

The following assets, operated by Canium, are in scope:

The following are out of scope:

Rules of Engagement

How to Report

Send your report to security@canium.ca. Our machine-readable contact details are published at /.well-known/security.txt.

A useful report includes:

We accept reports in English and French.

What to Expect From Us

We prioritize issues by their impact on Canium's core guarantees — anything that could compromise the confidentiality of message content, key material, or user authentication is treated as the highest priority.

StageOur target
Acknowledgement of your reportWithin 3 business days
Initial triage and severity assessmentWithin 10 business days

Recognition

Canium does not currently operate a paid bug-bounty program. With your permission, we are glad to credit you in our security acknowledgements once a reported issue is resolved. If you would prefer to remain anonymous, let us know and we will respect that.


Security architecture and threat model →

security.txt — machine-readable contact