Responsible Disclosure Policy

Last updated 2026-04-22. We take security seriously. Here’s how to tell us when we mess up.

Contact

Email security@quantumrepair.app with details of the issue, a proof of concept if you have one, and your preferred contact method. PGP key on request.

Our commitment

• Acknowledgement within 24 hours (business day).
• Initial triage within 3 business days — you’ll know if we accept the report and what we think the severity is.
• Critical fixes within 14 days; high within 30; medium within 90; low on normal cadence.
• Public credit — with your permission, we list you on a researchers’ page. If you’d rather stay anonymous, that’s fine too.
• No legal threats for good-faith research within the scope below.

Scope (green light)

• *.quantumrepair.app web applications
• QuantumRepair APIs
• QuantumRepair mobile PWA
• Infrastructure QuantumRepair owns and labels as ours

Out of scope

• Third-party services (Stripe, Twilio, SendGrid, etc.) — report to them directly.
• Subdomain takeovers on domains we’ve explicitly decommissioned.
• Social engineering of our staff or customers.
• Physical attacks on our offices.
• Denial-of-service testing without prior written agreement.
• Attacks against shops’ own data (you need their permission; the shop is the data controller).

Ground rules

• Don’t access, modify, or exfiltrate data beyond what’s necessary to demonstrate the issue.
• Don’t publicly disclose before we’ve fixed and coordinated a disclosure timeline.
• Don’t demand payment or threaten disclosure as leverage — we’re happy to pay bounties on a case-by-case basis for severe findings, but extortion attempts get forwarded to law enforcement.
• Test against your own test account, not real customers.

Bounties

We don’t run a continuous bug-bounty program yet. For qualifying critical or high findings we pay case-by-case, typically £250–£2,500. We’ll let you know before you put in significant time.

Hall of fame

Coming soon — send us something good and we’ll start the list.