ArcSense · Security
Responsible Disclosure Policy
How to report a security vulnerability, what to expect from us, and the protections we offer researchers who act in good faith.
Last updated: June 16, 2026 · Contact: security@arcsense.ca
1. Overview
ArcSense Consulting Inc. takes the security of ATLAS seriously. If you believe you have found a security vulnerability in any ArcSense-owned system, we encourage you to report it to us responsibly.
We will work with you to understand and resolve the issue promptly, and we commit to acting in good faith toward researchers who report in good faith.
2. Scope
The following systems are in scope for this policy:
arcos.arcsense.ca — the ATLAS web application
arcos-admin.arcsense.ca — the ATLAS administration console
The ATLAS MCP server and API endpoints
Supabase-backed authentication and data access controls (row-level security, RLS bypass)
3. Out of scope
The following are out of scope and should not be tested:
Denial of service (DoS/DDoS) attacks against any ATLAS infrastructure
Social engineering, phishing, or physical attacks against ArcSense staff or customers
Vulnerabilities in third-party services we use (Supabase, Cloudflare, Microsoft) — report those directly to the respective vendor
Automated scanning that generates significant load on production systems
Accessing, modifying, or exfiltrating data belonging to other organizations or users
4. How to report
Send your report to security@arcsense.ca. Please include:
A clear description of the vulnerability and its potential impact
Steps to reproduce the issue, including any relevant URLs, payloads, or screenshots
The affected system and component
Your assessment of severity (CVSS score if possible)
Any proof-of-concept code, if applicable
We ask that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate it.
5. Our commitment
When you report a vulnerability under this policy, we commit to:
Acknowledging receipt of your report within 48 hours
Providing an initial triage assessment within 7 business days
Keeping you informed of our progress as we investigate and remediate
Notifying you when the vulnerability has been resolved
Not pursuing legal action against researchers who comply with this policy
6. Safe harbor
ArcSense Consulting Inc. will not pursue civil or criminal action against security researchers who: make a good faith effort to comply with this policy; avoid privacy violations, data destruction, and service disruption; do not exploit a security issue for reasons beyond demonstrating the vulnerability; and report the issue to us before public disclosure.
We consider security research conducted under this policy to be authorised conduct. If legal action is initiated by a third party against a researcher for activities conducted in accordance with this policy, we will take steps to make clear that such research was conducted with our authorisation.
Report a vulnerability
Send your findings to security@arcsense.ca. We aim to acknowledge all reports within 48 hours.