Responsible Disclosure Policy

Security is at the core of what FSET does, and that means holding ourselves to the same standard we set for our clients. If you have discovered a potential security vulnerability in our systems or website, we want to hear from you. 

Our Commitment to Researchers 

FSET values the work of the security research community. We believe responsible disclosure makes the internet safer for everyone, and we are committed to working collaboratively with researchers who identify vulnerabilities in our systems. 

When you report a vulnerability in good faith and follow the guidelines on this page, we commit to: 

  • Acknowledge your report within 3 business days 
  • Investigate your submission thoroughly and in good faith 
  • Keep you informed of our progress as we work toward a resolution 
  • Not pursue legal action against researchers who act in good faith in accordance with this policy 

Scope 

This policy applies to security vulnerabilities affecting: 

  • Our website: fset.inc 
  • Our public-facing web applications and portals 
  • Our email infrastructure (mail.fset.ca) 

Out of Scope 

The following are outside the scope of this policy: 

  • Physical security testing of FSET offices or facilities 
  • Social engineering attacks against FSET employees or clients 
  • Denial of service (DoS) or distributed denial of service (DDoS) testing 
  • Automated scanning tools that create excessive traffic or system load 
  • Vulnerabilities in third-party services or software that we use but do not control 
  • Client environments and systems managed by FSET on behalf of our clients — please contact us directly if you have concerns related to a managed environment 

What We Ask of You 

To ensure a safe and productive disclosure process, please: 

  • Do not access, modify, or delete data that does not belong to you 
  • Do not disrupt or degrade services for other users 
  • Do not publicly disclose the vulnerability until we have confirmed it has been resolved or until 90 days have passed from your initial report, whichever comes first 
  • Do provide enough detail for us to reproduce and understand the issue 
  • Do act in good faith and with the intent to improve security 

How to Report 

Send your report to our security team by email via our contact page. Please include: 

  • A description of the vulnerability and its potential impact 
  • The URL, system, or component affected 
  • Step-by-step instructions to reproduce the issue 
  • Any supporting evidence (screenshots, logs, proof-of-concept code) 

If you require encrypted communication, please indicate this in your initial email and we will provide a secure channel. 

We aim to acknowledge all reports within 3 business days and provide a resolution timeline within 10 business days of acknowledgement. 

Our Security Posture 

FSET is certified to ISO 27001:2022 — the internationally recognised standard for information security management. Our security programme includes formal incident response procedures, internal audits, and continuous monitoring. Responsible disclosure is a natural extension of this commitment. 

Learn more on our Trust Centre page. 

This policy does not grant permission to access systems beyond what is strictly necessary to identify and report a vulnerability. FSET reserves all rights under applicable law. However, we will not pursue legal action against researchers who: 

  • Act in good faith 
  • Comply with this policy 
  • Make no attempt to access, alter, or destroy data 
  • Do not disrupt services or exploit findings beyond proof-of-concept 

If you are unsure whether your planned research falls within this policy, please contact us before proceeding.

Related Pages

Trust Centre — Hub
Trust Centre Legal — Policy
Privacy Policy Support
Contact FSET

Back to top