# Responsible Disclosure Policy for SQRFT (sqrft.ca) # # If you believe you have found a security vulnerability in SQRFT, please # reach out to the address below. We appreciate coordinated disclosure and # will respond within 3 business days. # # What we care about (in priority order): # 1. Authentication / authorization bypass # 2. RCE / SQL injection / template injection # 3. XSS / CSRF / open redirects # 4. Sensitive PII exposure (tenant IDs, credit reports, screening data) # 5. Payment flow tampering # 6. Phishing sites impersonating SQRFT (please include URL + evidence) # # What we do NOT consider a security issue: # - Missing SPF/DKIM/DMARC on unused subdomains # - Rate limiting / DoS-only reports without a compounding vulnerability # - Vulnerabilities in third-party services we don't control # (Documenso, Stripe, Resend, Cloudflare — please report to them directly) # # Please DO NOT: # - Exfiltrate real user data (use your own test account) # - Publicly disclose before we've had a chance to remediate # - Perform disruptive testing during business hours (Mountain Time, Canada) # # Thank you for helping keep Canadian landlords and tenants safe. Contact: mailto:security@sqrft.ca Contact: mailto:abuse@sqrft.ca Expires: 2027-07-02T00:00:00.000Z Preferred-Languages: en Canonical: https://sqrft.ca/.well-known/security.txt Policy: https://sqrft.ca/security