CertumCore
Security Policy
CertumCore maintains verification-focused infrastructure designed to evaluate whether systems behave as expected. Security issues are treated as deviations between expected and observed behavior.
Reporting Channel
Submit security reports to:
Include a clear description of the issue, reproduction steps, relevant requests, responses, logs, screenshots, and observed versus expected behavior. Incomplete or non-reproducible submissions may not be reviewed.
Scope
- certumcore.com
- systems, services, and APIs operated by CertumCore
Rules of Engagement
- Interact only with systems you are authorized to test.
- Do not access, modify, exfiltrate, or destroy data.
- Do not perform actions that degrade service availability or performance.
- Do not conduct automated or high-volume scanning without prior authorization.
- Do not publicly disclose an issue before review and remediation where applicable.
Activity outside these constraints may be treated as hostile.
Response Model
- Reports are evaluated for validity, reproducibility, and signal.
- Confirmed issues may be investigated, contained, or remediated.
- Not all submissions will receive a response.
- No response timeline is guaranteed.
Compensation
CertumCore does not currently operate a bug bounty or financial reward program for vulnerability submissions.
Operational Framing
CertumCore systems are built around expected versus actual verification across transaction, checkout, and infrastructure layers.
Security reporting is handled as an extension of that same verification model: identify the deviation, preserve signal, and evaluate the discrepancy against expected system behavior.
Last updated: May 2026