Help us keep Certus secure
We welcome security researchers and customers to report vulnerabilities. Our commitment: fast triage, transparent communication, and credit where due.
Step 1
Report
Submit potential vulnerabilities to security@certus.ai or via our HackerOne program. Please include steps to reproduce, impact, and any proof-of-concept.
Step 2
Triage
We respond within 24 hours, provide a tracking ID, and collaborate on validation. During remediation we keep you informed without disclosing sensitive tenant data.
Step 3
Remediate & credit
Fixes are prioritised based on severity. Once deployed, we coordinate public disclosure and optional researcher credit.
In scope
- Certus web console (production and pilot tenants)
- Evidence API and webhook endpoints under *.certus.ai
- Pilot CLI and blueprint execution service
Out of scope
- Denial of service attacks or volumetric traffic tests
- Social engineering against Certus or customer personnel
- Use of automated scanners without prior coordination
Urgent issues? Use GPG key ID 0xCERTUSSEC (fingerprint available on keys.openpgp.org).