Responsible disclosure (report a vulnerability)

If you believe you’ve found a security issue in Canoma, please email security@canoma.app(PGP available on request). We acknowledge within 72 hours and keep you updated as we investigate.

In scope: app.canoma.app and api.canoma.app.
Out of scope: social engineering, denial‑of‑service, physical attacks, and findings without security impact. Please avoid accessing other customers’ data and never exfiltrate data.

We won’t pursue legal action for good‑faith research that follows these guidelines (“safe harbor”). If you need a test account, ask us. Automated high‑volume scanning is not permitted. Thank you for helping us keep customers safe.