Responsible Disclosure Policy

Security is core to CtrlOne. We welcome reports from security researchers and users who discover potential vulnerabilities in our products and services. This policy explains what is in scope, how to report an issue, and what you can expect from us.

Last updated: July 4, 2026

1. Our commitment

We are committed to working with the security community to keep CtrlOne and our customers safe. If you make a good-faith effort to comply with this policy during your research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and we will not pursue or support legal action against you.

2. Scope

This policy applies to security vulnerabilities discovered in:

  • The CtrlOne website and admin console at ctrlone.online.
  • The CtrlOne Windows agent and installers we distribute.
  • Our public API endpoints used by the Services.

3. Out of scope

The following are generally out of scope and should not be tested:

  • Denial-of-service (DoS) attacks or anything that degrades or disrupts our Services.
  • Social engineering, phishing, or physical attacks against our staff, customers, or facilities.
  • Reports from automated scanners without a demonstrated, exploitable impact.
  • Vulnerabilities in third-party services or software we do not control.
  • Testing against systems or accounts that do not belong to you without authorization.

4. How to report

Please email your findings to security@ctrlone.online. To help us triage quickly, include:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue.
  • Any proof-of-concept code, screenshots, or logs that support the report.
  • The affected URL, endpoint, or component and any relevant version details.

5. Guidelines for researchers

When researching, please:

  • Act in good faith and avoid privacy violations, data destruction, and service disruption.
  • Only interact with accounts and data you own or have explicit permission to access.
  • Do not access, modify, or exfiltrate other users' data; use a test account where possible.
  • Give us a reasonable amount of time to investigate and fix the issue before any public disclosure.
  • Do not publicly disclose the issue until we confirm it has been resolved.

6. What you can expect from us

When you report an issue in line with this policy, we will acknowledge your report, investigate it promptly, keep you informed of our progress, and let you know when the issue is resolved. We are grateful for responsible reports and are happy to credit researchers who wish to be recognized once an issue is fixed.

7. Contact

To report a security issue, email security@ctrlone.online. For all other enquiries, use support@ctrlone.online.