Our commitment to researchers
QuantaSeal is a security company. We take vulnerabilities seriously and are grateful to researchers who take the time to report issues responsibly. If you follow this policy:
- We will acknowledge your report within 24 hours
- We will not pursue legal action against you for good-faith research conducted in accordance with this policy
- We will work with you to understand and validate the issue
- We will credit you in our security advisories (with your permission) when we disclose remediated vulnerabilities
- We will notify you when the vulnerability has been resolved
Scope - in scope
api.quantaseal.io
Production API - all authenticated and unauthenticated endpoints
app.quantaseal.io
Admin console web application
quantaseal.io
Marketing website
QuantaSeal SDKs
Python, Node.js, Go SDKs - github.com/quantaseal
MCP Server
@quantaseal/mcp-server - tool injection, auth bypass
PQC implementation
ML-KEM-768 / ML-DSA-65 implementation flaws - highest priority
Out of scope
- Denial of service attacks (volumetric / application layer)
- Social engineering attacks against QuantaSeal employees or customers
- Physical attacks
- Attacks requiring physical access to a user's device
- Vulnerabilities in third-party dependencies that are already publicly known (report upstream instead)
- Self-XSS or issues requiring significant user interaction to exploit
- Missing security headers that do not present a direct security risk
- Rate limiting on non-sensitive endpoints
- Email enumeration without demonstrated exploit
Severity classification
Critical
SLA: 7 daysAuthentication bypass, cross-tenant data access, PQC cryptographic weakness, remote code execution, key material exfiltration
High
SLA: 30 daysPrivilege escalation within tenant, stored XSS, significant information disclosure, SSRF to internal services
Medium
SLA: 90 daysReflected XSS, CSRF, open redirect, sensitive data exposure in error messages
Low
SLA: 90 daysVerbose error messages, minor information leakage, best-practice deviations
What to include in your report
- Description of the vulnerability and its potential impact
- Affected URLs, endpoints, or components
- Step-by-step reproduction instructions
- Proof-of-concept (screenshots, HTTP request/response captures, code) - do not exfiltrate real customer data
- Your contact email (for coordination and credit)
Rules of engagement
To qualify for safe harbour, you must:
- Only test against accounts you own or have explicit permission to test
- Not access, modify, or delete data that does not belong to you
- Not disclose the vulnerability publicly before we have resolved it (coordinated disclosure)
- Not exploit the vulnerability beyond the minimum necessary to demonstrate the issue
- Not conduct testing that could affect service availability for other customers
Bug bounty rewards
| Severity | Reward | Examples |
|---|---|---|
| Critical | $500 AUD | Cross-tenant vault access, auth bypass, PQC algorithm downgrade |
| High | $200 AUD | Privilege escalation, SSRF, significant data exposure |
| Medium | Public credit | Limited scope info disclosure, minor auth issues |
| Low | Hall of Fame | Best-practice deviations, low-impact findings |
Rewards paid via bank transfer or PayPal within 30 days of fix verification. Duplicate reports are not eligible. Bounty amounts may increase as the programme matures.
How to report
Send your report to security@quantaseal.io with the subject line [SECURITY] <brief description>.
For highly sensitive reports, encrypt your email using our PGP key: download PGP key.
Key fingerprint
D866 301F 83C1 F7D4 CF4F 87F4 DA64 E1C9 BCB5 A2FE
Curve25519 · UID: QuantaSeal Security <security@quantaseal.io>