Trust & security

Responsible Disclosure

Qtonic Quantum welcomes coordinated reports from the security research community. This policy explains how to report a vulnerability, what is in scope, and the protections we extend to good-faith researchers.

In scope

qtonicquantum.com and *.qtonicquantum.com production properties
Public REST endpoints under /api/* served from qtonicquantum.com
Authenticated buyer surfaces accessed via approved engagements
Issued artifacts: signed proofs, manifests, and verification endpoints

Out of scope

Third-party services we consume (Azure, GitHub, Cloudflare, etc.) — please report directly to the vendor
Self-XSS, clickjacking on pages without state-changing actions
Rate limiting unaccompanied by a concrete impact path
Findings produced by automated scanners with no validated impact
Physical, social-engineering, denial-of-service, or stress-testing attacks
Any testing requiring access to data you are not authorized to access

How to report

Send your report directly to the dedicated security inbox below. It is the canonical reporting route published in our security.txt policy and is monitored for coordinated vulnerability disclosure.

security@qtonicquantum.com

A useful report typically includes:

A short title and a one-paragraph impact summary.
Step-by-step reproduction, including the exact URL, payload, and timestamps.
What you accessed and what you stopped before accessing.
Suggested remediation, if any.

Encryption

The current PGP public key for encrypted reports is published at /pgp-key.txt. Verify the fingerprint out-of-band before sending sensitive material; we are happy to confirm it by email on request.

Safe harbor

We will not pursue or support legal action against researchers who act in good faith and follow this policy. Specifically, we ask that you:

Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
Only interact with accounts you own or for which you have explicit permission.
Stop testing immediately if you encounter sensitive data, and report it.
Do not publicly disclose findings before coordinated disclosure timelines complete.

Activity that violates this policy or applicable law is not covered. When in doubt, ask first.

Response targets

We aim to acknowledge a valid report within five business days, confirm triage status within ten business days, and provide a remediation timeline once impact is reproduced. These are aspirational targets, not contractual commitments.

Disclosure timeline

We coordinate disclosure on a 90-day timeline by default. Where ecosystem dependencies require it, we will agree on a longer or shorter window with the reporter before publication.

Hall of Fame

Researchers who help us improve will be acknowledged here with their permission. This list is currently empty.

Bug bounty

A formal bug-bounty program is in design. Leave your address and we will notify you when it opens. No spam — operational updates only.

Machine-readable contact information is published at /.well-known/security.txt per RFC 9116.