Responsible Disclosure

Percus is committed to working with security researchers to identify and fix vulnerabilities. This policy describes how to report a security issue and what you can expect from us in return.

How to report

Send vulnerability reports to security-compliance@percus.cl.

Include as much of the following as possible:

• Description of the vulnerability and its potential impact
• Steps to reproduce (proof of concept, screenshots, HTTP requests/responses)
• Affected URL, endpoint, or component
• Your name or handle (optional — anonymous reports are accepted)

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate.

Our commitments

Commitment	Timeline
Acknowledge receipt of your report	Within 3 business days
Provide an initial assessment	Within 10 business days
Keep you informed of progress	At least every 15 business days until resolved
Notify you when the issue is fixed	Upon release of the fix

Scope

In scope:

• docs.percus.video and testing.docs.percus.video
• Percus Backoffice (app.percus.video or equivalent)
• Percus Player runtime
• Percus SmartEmbed SDK
• Percus public APIs

Out of scope:

• Denial of service attacks
• Social engineering or phishing of Percus staff
• Physical security attacks
• Vulnerabilities in third-party services outside Percus's control
• Reports generated solely by automated scanners with no manual validation

Safe harbor

Percus will not pursue legal action against researchers who:

• Report vulnerabilities in good faith following this policy
• Avoid accessing, modifying, or deleting data that does not belong to them
• Do not disrupt production services
• Do not publicly disclose the vulnerability before a fix is available

We consider responsible disclosure activity to be authorized and we will work with you to understand and resolve the issue.

Contact

Email: security-compliance@percus.cl

For general security questions that are not vulnerability reports, you may also use the same address.