QuantKey Solutions LLC
Vulnerability Disclosure Policy (VDP)
Last updated: October 1, 2025
1) Purpose
This policy sets how to report security vulnerabilities to QuantKey and how we commit to handle them. It aligns with widely‑adopted guidance for coordinated vulnerability disclosure.
2) Scope
A. In‑scope domains: quantkey.com and any subdomains we operate, plus content we host for our services where QuantKey controls configuration.
B. Third‑party/vendor platforms: Our technology partners, carriers (e.g., Twilio), email providers (e.g., Mailgun/Postmark/SendGrid), cloud/CDN, payment processors (e.g., Stripe/PayPal/NMI/Authorize.net), and similar vendors are out of scope for direct testing. If you find an issue that clearly affects QuantKey via those services, report it to us and we’ll coordinate with the vendor.
C. What’s in: Auth/session flaws, access control (IDOR), injection, SSRF, XSS, CSRF, misconfigurations that expose data or admin surfaces, direct object reference to tenant resources, logic issues with security impact, secrets in public code/assets.
D. What’s out (examples): Social engineering, physical attacks, DDoS or volumetric load testing, spam/DMARC policy choices absent exploit, missing security headers without demonstrated exploit, clickjacking on non‑sensitive pages, open redirects without impact, rate‑limit findings without a proven abuse path, findings requiring a jailbroken device or MITM of the user’s own traffic with no server‑side weakness.
3) Testing guidelines (do no harm)
A. Use only your own accounts. Don’t access other users’ data.
B. No service disruption: don’t run DDoS, fuzz at production‑unsafe rates, or spam flows.
C. No data exfiltration: use the minimum data needed to demonstrate impact; redact PII.
D. Don’t modify or destroy data; don’t plant backdoors; don’t pivot to vendors’ internal networks.
E. Respect rate limits and automation defenses. Ask if you need a test tenant.
4) How to report
Email [email protected], or see the Reporting Contact page at https://quantkey.com/security/report. Include clear repro steps, affected URLs, and impact.
5) Our commitments
A. Authorize good‑faith research under this policy (within scope & rules).
B. Acknowledge within 3 business days; triage within 10 business days.
C. Provide status updates and work toward timely remediation based on severity.
D. Offer recognition (Hall of Fame) with your permission once fixed.
6) Safe Harbor
If you comply with this policy:
A. We won’t pursue civil action or refer to law enforcement for your research.
B. We won’t enforce anti‑circumvention or EULA/ToS restrictions solely for acts consistent with this policy.
C. If a third party brings a claim related to your authorized testing, we will make it known that your actions were conducted under this policy.
This reflects “good‑faith” safe‑harbor practices recommended by CISA and the U.S. Department of Justice.\
7) Severity & prioritization
We use risk/impact and exploitability to prioritize fixes (e.g., critical auth bypass or cross‑tenant data access outranks minor UX security defects). We may reference CVSS for consistency, but reserve judgment based on business context.
8) Non‑monetary program
We don’t offer bounties at this time. Duplicate reports, issues already known, or issues outside scope won’t receive recognition.
9) Coordinated disclosure
Please don’t publicly disclose details until we’ve validated and fixed the issue, or 90 days have passed without a fix. We’ll collaborate on timing and credit.
10) Thank you
We appreciate the time and care researchers invest to protect our customers.
11) Contact
Email:
US Mail:
QuantKey Solutions LLC
1930 18th St. NW
Ste B2 #1101
Washington, DC 20009
QuantKey Growth Hub is the OS for your Trading Vendor Business
QuantKey Solutions LLC
1930 18th St. NW Ste B2 #1101
Washington, DC 20009
Company
Trust & Compliance Center
This website and its related services are operated by QuantKey Solutions LLC (“QuantKey”) and its affiliated entities.
QuantKey provides software-as-a-service solutions — including subscription management, marketing automation, data streaming, consulting, and custom development — for independent trading-software vendors. QuantKey is not a broker-dealer, Futures Commission Merchant, Commodity Trading Advisor, Introducing Broker, or registered investment adviser; it does not solicit trades or offer investment advice, recommendations, or trading strategies.
References to third-party platforms, brokers, data providers, or vendors are for informational purposes only. QuantKey does not endorse, guarantee, or assume responsibility for any third-party content or services.
Risk Disclosure: Trading in futures, options on futures, foreign exchange, cryptocurrencies, or other leveraged instruments involves substantial risk and may not be suitable for all investors. You may lose more than your initial investment. Risk capital — money that can be lost without affecting financial security or lifestyle — should be used. Past performance is not necessarily indicative of future results. If hypothetical or simulated performance is shown, it has inherent limitations and may differ materially from actual results.
Testimonials/Endorsements: Individual experiences vary and are no guarantees of future performance or success.
Review the CFTC and NFA advisories for additional information on virtual-currency and leveraged-trading risks.
© Copyright QuantKey Solutions 2025. All rights reserved. QuantKey®, the stylized “Q” logo, QuantKey Control™, and QuantKey Growth Hub™ are trademarks or registered trademarks of QuantKey Solutions LLC in the United States and other jurisdictions. All other marks are the property of their respective owners. NinjaTrader® is a registered trademark of NinjaTrader Group, LLC. QuantKey is an independent solution provider and is not legally affiliated with NinjaTrader or any of their affiliates. Any reference to “NinjaTrader” is for descriptive purposes only and does not imply any relationship with, or approval by, the NinjaTrader companies.