Vulnerability Disclosure Policy 

Last Updated: 7/29/24

1. Introduction

At Canto, we prioritize the security and privacy of our users. We are committed to protecting our systems and data from potential vulnerabilities. This policy outlines our approach to receive, assess, and address security vulnerabilities.

2. Scope

This policy applies to all systems, applications, and services owned or operated by Canto Inc., and Canto GmbH.

3. Reporting a Vulnerability

We encourage security researchers to report any vulnerabilities they discover. Please include the following information in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Any supporting evidence (e.g., screenshots, logs) 

Reports can be submitted via email to security@canto.com.

4. Our Commitment

Upon receiving a vulnerability report, we commit to:

• Acknowledge receipt of the report within 72 hours
• Provide an initial assessment of the report within five business days
• Keep the reporter informed of the progress and status of the vulnerability
• Work to remediate the vulnerability in a timely manner

5. Safe Harbor

We believe in ethical security research and will not take legal action against individuals who:

• Engage in testing within the scope of this policy
• Avoid privacy violations, destruction of data, and interruption or degradation of our services
• Provide us with a reasonable amount of time to resolve the issue before disclosing it to others

6. Contact

For any questions or to report a vulnerability, please contact us at security@canto.com.