Last updated: October 1, 2025

1) Purpose

This policy sets how to report security vulnerabilities to QuantKey and how we commit to handle them. It aligns with widely‑adopted guidance for coordinated vulnerability disclosure.

2) Scope

A. In‑scope domains: quantkey.com and any subdomains we operate, plus content we host for our services where QuantKey controls configuration.

B. Third‑party/vendor platforms: Our technology partners, carriers (e.g., Twilio), email providers (e.g., Mailgun/Postmark/SendGrid), cloud/CDN, payment processors (e.g., Stripe/PayPal/NMI/Authorize.net), and similar vendors are out of scope for direct testing. If you find an issue that clearly affects QuantKey via those services, report it to us and we’ll coordinate with the vendor.

C. What’s in: Auth/session flaws, access control (IDOR), injection, SSRF, XSS, CSRF, misconfigurations that expose data or admin surfaces, direct object reference to tenant resources, logic issues with security impact, secrets in public code/assets.

D. What’s out (examples): Social engineering, physical attacks, DDoS or volumetric load testing, spam/DMARC policy choices absent exploit, missing security headers without demonstrated exploit, clickjacking on non‑sensitive pages, open redirects without impact, rate‑limit findings without a proven abuse path, findings requiring a jailbroken device or MITM of the user’s own traffic with no server‑side weakness.

3) Testing guidelines (do no harm)

A. Use only your own accounts. Don’t access other users’ data.

B. No service disruption: don’t run DDoS, fuzz at production‑unsafe rates, or spam flows.

C. No data exfiltration: use the minimum data needed to demonstrate impact; redact PII.

D. Don’t modify or destroy data; don’t plant backdoors; don’t pivot to vendors’ internal networks.

E. Respect rate limits and automation defenses. Ask if you need a test tenant.

4) How to report

Email [email protected], or see the Reporting Contact page at https://quantkey.com/security/report. Include clear repro steps, affected URLs, and impact.

5) Our commitments

A. Authorize good‑faith research under this policy (within scope & rules).

B. Acknowledge within 3 business days; triage within 10 business days.

C. Provide status updates and work toward timely remediation based on severity.

D. Offer recognition (Hall of Fame) with your permission once fixed.

6) Safe Harbor

If you comply with this policy:

A. We won’t pursue civil action or refer to law enforcement for your research.

B. We won’t enforce anti‑circumvention or EULA/ToS restrictions solely for acts consistent with this policy.

C. If a third party brings a claim related to your authorized testing, we will make it known that your actions were conducted under this policy.

This reflects “good‑faith” safe‑harbor practices recommended by CISA and the U.S. Department of Justice.\

7) Severity & prioritization

We use risk/impact and exploitability to prioritize fixes (e.g., critical auth bypass or cross‑tenant data access outranks minor UX security defects). We may reference CVSS for consistency, but reserve judgment based on business context.

8) Non‑monetary program

We don’t offer bounties at this time. Duplicate reports, issues already known, or issues outside scope won’t receive recognition.

9) Coordinated disclosure

Please don’t publicly disclose details until we’ve validated and fixed the issue, or 90 days have passed without a fix. We’ll collaborate on timing and credit.

10) Thank you

We appreciate the time and care researchers invest to protect our customers.

11) Contact

Email:

[email protected]

US Mail:

QuantKey Solutions LLC
1930 18th St. NW
Ste B2 #1101
Washington, DC 20009