Request Demo

Vulnerability Disclosure Program

Effective date: April 19, 2026

Report a vulnerability

Contents

1. Purpose

Quantum Risk Systems, Inc. (“QRS”) welcomes security research that helps keep our customers and their data safe. This Vulnerability Disclosure Program (“VDP”) describes how security researchers can report vulnerabilities to us and what they can expect in return.

2. Scope

The following assets are in scope for reports under this Program:

3. Out of Scope

  • Third-party services (cloud providers, auth providers, status page). Report directly to the relevant vendor.
  • Denial-of-service, volumetric, or brute-force attacks.
  • Social engineering of QRS personnel.
  • Physical attacks.
  • Findings that require physical access to a user's device or session hijacking via their own device.
  • Missing security headers without a demonstrated exploit.
  • Outdated software disclosure without a demonstrated exploit.
  • Automated scan output without validation.

4. How to Report

  • Email: security@qrsrisk.com
  • PGP: a public key is available on request; plain email is acceptable if encrypted email is not practical.
  • Please include: a clear description of the vulnerability, steps to reproduce, any proof-of-concept you used, the potential impact, and contact information (if you want follow-up).
  • You may report anonymously; we will still triage and fix, but we cannot credit or follow up without contact details.

5. Safe Harbor

QRS will not pursue civil or criminal action, or send a DMCA takedown request, in response to security research conducted in good faith and consistent with this Program. “In good faith” means:

  • Only interacting with accounts and data that you own or have explicit permission to test.
  • Not accessing, modifying, or deleting data beyond what is necessary to demonstrate a vulnerability.
  • Not disrupting services or customer experience.
  • Giving us reasonable time to fix a vulnerability before public disclosure (see Section 6).
  • Not using the vulnerability for any purpose other than this Program.
If legal action is brought against you by a third party for activity consistent with this Program, we will take reasonable steps to make it known that your actions were conducted under this Program.

6. Our Commitments

  • Acknowledge receipt of your report within 3 business days.
  • Triage and provide an initial assessment within 10 business days.
  • Work with you to resolve the issue and provide status updates.
  • Credit you in our Hall of Fame (if you wish), once the issue is resolved and you agree to disclosure.
  • Not threaten or pursue legal action against researchers acting in good faith under this Program.

7. Coordinated Disclosure

We ask that researchers give us reasonable time to fix vulnerabilities before public disclosure. Our target disclosure window is 90 days from our acknowledgement of the report. We may request additional time for complex fixes; we will not sit on a vulnerability indefinitely. If you believe a longer delay is unreasonable, please tell us — we would rather keep the dialogue than surprise each other.

8. Rewards

QRS currently runs this Program as a vulnerability disclosure program rather than a paid bug bounty. We may, at our discretion, offer thanks, swag, or financial recognition for high-impact findings. As the Program matures, we may introduce a formal bounty structure; any change will be announced here.

9. Legal

By participating in this Program, you agree that your activity is subject to the laws of your location and of the United States. This Program does not grant you any rights to QRS's or its customers' data, and you must not retain, publish, or share any customer data encountered during testing. Research must not violate any law, including anti-hacking or wiretap statutes.