Reporting a security vulnerability

Security is a core consideration in the design, development, and operation of the Contensis software and services. Our platforms are used by organisations with complex digital estates and high expectations around data protection, resilience, and compliance, and we take that responsibility seriously.

Zengenti, the company behind Contensis, is certified to ISO/IEC 27001 as part of its commitment to operating a formal Information Security Management System (ISMS). This provides a structured framework for identifying, assessing, and managing information security risks across our people, processes, and technology, supported by independent external audits.

Despite these measures, no system can be considered entirely free from risk. We therefore value the role of the security community and welcome responsible disclosure from researchers who identify potential vulnerabilities in the Contensis software or supporting systems.

If you believe you have identified a security vulnerability in any of our systems, please report it to us as soon as possible by emailing:

security@contensis.com

Please include the following information in your report, where available:

• The URL or IP address where the vulnerability can be observed
• A brief description of the type of vulnerability
• Clear steps to reproduce the issue using a benign, non-destructive proof of concept

Providing sufficient detail helps us triage reports quickly and accurately, reduces the likelihood of duplicate reports, and minimises the risk of unintended exploitation.

You should not exploit vulnerabilities on production systems or attempt to access, modify, or extract personal or sensitive data.

• We will acknowledge receipt of all reports within 7 working days.
• Our engineering and security teams will assess the report to confirm the issue, understand its impact, and determine appropriate remediation.
• Where a valid vulnerability is identified, we will work to resolve it in line with its severity and risk.
• We may contact you for clarification or additional information and will keep you informed of progress where appropriate.
• Once the issue is addressed, we will confirm closure. Where coordinated disclosure is appropriate, we will discuss timing with you.

We appreciate the time and effort taken to report security issues. At this time, we do not offer monetary rewards for vulnerability disclosures.

We ask security researchers and industry professionals to follow these guidelines when reporting potential vulnerabilities:

Submit vulnerability details directly to us and allow reasonable time for investigation and remediation before any public disclosure.

Do not exploit a vulnerability beyond what is necessary to confirm its existence. Avoid actions that could degrade service performance, compromise data, or impact other customers.

Do not access, modify, or exfiltrate customer data. If personal or sensitive data is encountered unintentionally, stop testing and report this immediately.

Where possible, include reproduction steps, affected components or URLs, proof of concept, and any relevant logs or screenshots.

All testing should be conducted ethically, lawfully, and in line with these guidelines.

We consider security research conducted in line with these guidelines to be authorised and in good faith. We do not intend to pursue legal action against researchers who make a genuine effort to follow this process, avoid harm, and do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and address them.

Last updated: 12/01/2026