Last updated: May 2026
Overview
QONE takes the security of its platform and the privacy of its users seriously. We welcome reports from security researchers who discover potential vulnerabilities in our systems. This page describes how to report a vulnerability, what we commit to in response, and the rules of engagement under which we operate.
To report a vulnerability, email [email protected]. We will acknowledge your report within 3 business days and keep you updated throughout the resolution process.
Scope
The following assets are in scope for this policy:
- qone.work and all subdomains (e.g.
*.qone.work) - QONE web application — authentication, tenant isolation, data access controls, API endpoints
- QONE API — REST endpoints accessible at
*.qone.work/api
Assets not listed above — including third-party services we integrate with (Paddle, Stripe, Slack, PostHog, Sentry) — are out of scope. Please report issues with those services directly to their respective security teams.
How to Report
Send an email to [email protected] with the subject line [Security Report] followed by a brief description of the issue.
Please do not report security issues via GitHub issues, public forum posts, or social media. Coordinated disclosure protects all users while a fix is prepared.
If you believe a vulnerability is critical and requires immediate attention, state that clearly in the subject line: [Security Report — Critical].
What to Include
A good report helps us reproduce and fix the issue faster. Please include as much of the following as possible:
- A clear description of the vulnerability and its potential impact
- The URL, endpoint, or component where the vulnerability was found
- Step-by-step instructions to reproduce the issue
- Screenshots, HTTP request/response logs, or a proof-of-concept (PoC)
- The type of vulnerability (e.g. XSS, IDOR, SSRF, broken authentication)
- Any mitigating factors you observed
What to Expect
We are committed to working with security researchers transparently and promptly. Here is what you can expect after submitting a report:
- Acknowledgment: Within 3 business days of receiving your report.
- Initial assessment: Within 10 business days — we will confirm whether the issue is valid and provide a severity assessment.
- Resolution: We aim to resolve critical issues within 30 days and high-severity issues within 60 days. We will keep you informed of our progress.
- Disclosure: We follow coordinated disclosure. We ask that you allow us reasonable time to fix the issue before any public disclosure. We will coordinate timing with you.
At this time we do not operate a formal bug bounty program. We deeply appreciate responsible disclosures and will publicly acknowledge researchers who wish to be credited (with your permission).
Safe Harbor
If you conduct security research in good faith and in accordance with this policy, QONE will:
- Not pursue civil or criminal action against you
- Work with you to understand and resolve the issue quickly
- Treat your report with confidentiality and not share your personal information without your consent
"Good faith" means you must not: access or modify data belonging to other users without their explicit permission, perform denial-of-service attacks, send unsolicited bulk messages, or attempt to extort QONE or its users.
Out of Scope
The following are out of scope and will not be accepted as valid reports:
- Vulnerabilities in third-party services or libraries that are not exploitable in our context
- Issues that require physical access to a user's device or account credentials
- Self-XSS (where the attacker must be the victim)
- Theoretical vulnerabilities without a working proof-of-concept demonstrating real impact
- Missing security headers on non-sensitive static assets or third-party embeds
- Rate-limiting on non-sensitive endpoints (e.g. public landing page content)
- Social engineering or phishing attacks targeting QONE staff or users
- Denial-of-service (DoS/DDoS) attacks
- Clickjacking on pages with no sensitive actions
- Open redirects that cannot be used to steal credentials or session tokens
- Scanner output or automated tool reports without manual verification
If you are unsure whether an issue falls within scope, err on the side of reporting — we would rather triage an out-of-scope report than miss a real vulnerability.