Canticle
Back to Home

Security Disclosure Policy

Security is fundamental to our mission. We greatly value the research community's efforts to help keep our users safe and appreciate any inputs that find vulnerabilities in our product.

How to Report a Security Vulnerability

If you have discovered a security vulnerability in Canticle, please report it to us immediately by sending an email to [email protected] with the following details:

  • A summary of the issue and potential impact
  • A breakdown of the steps to replicate the issue
  • Details of the environment you are using
  • If available, any proof-of-concept code to exploit the vulnerability

Upon receiving your email, our security team will start investigating the issue immediately. We will keep you updated on our progress and may reach out for further details if needed. Once the issue is resolved, we will update our users as appropriate.

Focus Areas

We are particularly interested in vulnerabilities related to:

  • Authentication bypass and privilege escalation
  • Exposure of personally identifiable information (PII)
  • Access to data outside of authorized scope
  • SQL injection and remote command execution
  • Session management vulnerabilities
  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)

In Scope

Security testing is welcome on:

  • Canticle web application
  • Canticle API endpoints
  • Canticle integrations and browser-extensions

Out of Scope

The following activities are considered out of scope:

  • Automated scanning of any kind without prior authorization
  • Denial of Service (DoS) attacks of any kind
  • Attacks requiring physical access to a user's device
  • Man-in-the-middle attacks
  • Missing security best practices that do not directly lead to a vulnerability
  • Issues in third-party services not directly controlled by Canticle

Responsible Disclosure Guidelines

We kindly ask that you:

  • Only test vulnerabilities on accounts you own or have explicit permission to test
  • Make a good faith effort to avoid privacy violations, data destruction, or service interruption
  • Do not attempt to access data belonging to other users
  • Avoid expanding access beyond what is necessary to demonstrate the vulnerability
  • Do not publicly disclose the vulnerability before reporting it to us and allowing adequate time for resolution
  • Provide us with a reasonable amount of time to address the issue before any disclosure

Recognition

We believe in recognizing the valuable contributions of security researchers. For valid vulnerabilities that represent a significant security risk, we may provide:

  • Recognition in our security acknowledgments (with your permission)
  • Direct communication with our security team
  • Updates on the resolution timeline and process

Thank you for helping us keep Canticle secure for everyone.