Security Policy
At Carpages, we take the security of our systems and users seriously. We believe that responsible disclosure of security vulnerabilities helps us ensure the safety and trust of our platform.
If you discover a vulnerability in any Carpages system, service, or application, we encourage you to report it to us. We appreciate the efforts of security researchers and the broader community in helping us keep our environment secure.
📬 How to Report a Vulnerability
Please send a detailed report to security@carpages.ca. Your report should include:
- A clear description of the vulnerability
- Steps to reproduce the issue (proof of concept, if available)
- The impact and any affected systems, services, or URLs
- Any suggestions you have for remediation
We aim to acknowledge your submission within 3 business days and provide updates as we investigate and resolve the issue.
âś… What We Ask From You
- Do not exploit the vulnerability beyond what’s necessary to demonstrate it
- Do not attempt to access, modify, or delete any data that isn’t your own
- Do not publicly disclose the issue until we’ve had a reasonable opportunity to investigate and respond
- Do not use automated scanning tools that could affect platform availability
đź’¬ What You Can Expect From Us
- We will not take legal action against you if you follow responsible disclosure practices
- We will investigate and address valid reports promptly
- We may acknowledge your contribution on a public “thank you” page (optional)
🗓️ Policy Scope
This policy applies to:
- Any Carpages-owned web applications or services under
*.carpages.ca - Public APIs and client applications maintained by Carpages
- Systems and infrastructure owned or operated by Carpages
Out of scope:
- Third-party services not managed by Carpages
- Denial of service attacks, phishing, or social engineering attempts
If you're unsure whether something falls within this policy, please reach out to us at security@carpages.ca and we’ll be happy to clarify.