Responsible Disclosure.

This policy applies to:

• scaan.tech and its subdomains
• Publicly accessible Scaan corporate infrastructure
• Source code and binaries that Scaan distributes publicly (if any)

The following are out of scope:

• Customer-deployed Scaan platforms running on customer infrastructure
• Third-party services that we depend on
• Social engineering of Scaan personnel or partners
• Denial-of-service activity of any kind, including resource exhaustion

Send vulnerability reports to security@scaan.ai. Where possible, encrypt the contents using the published PGP key.

[PGP fingerprint to be added — security team to provision.]

A good report includes:

• A clear description of the issue and its impact
• Reproduction steps
• The URL, endpoint, or component affected
• Any proof-of-concept artifacts
• Your preferred public credit (or anonymity)

Scaan will not pursue civil action or initiate complaints to law enforcement for security research conducted in good faith and in accordance with this policy. Good faith means:

• Stopping at proof-of-impact — no data exfiltration beyond what is needed
• Avoiding privacy violations and destruction or modification of data
• Reporting the issue promptly
• Giving us reasonable time to fix the issue before disclosure

When we receive a report we will:

• Acknowledge receipt within two business days
• Investigate, validate the finding, and keep you informed of progress
• Coordinate disclosure once the issue is fixed, with credit to you if you wish

Scaan does not currently operate a paid bug bounty programme. We may offer public acknowledgement and, where appropriate, a token of thanks.

Reports: security@scaan.ai. Please use the PGP key published alongside this policy for anything sensitive.