Quantum Pipes

Security

Vulnerability Disclosure Policy

Quantum Pipes builds infrastructure that defense, healthcare, finance, and government teams trust on their own hardware. Security research is part of what makes that trust real. This policy describes how to report a vulnerability and the safe-harbor protections we extend to good-faith researchers.

Last updated
April 25, 2026
Effective
April 25, 2026

This policy supplements the /.well-known/security.txt file we publish at the canonical RFC 9116 location.

1. How to report

Send your report to hello@quantumpipes.com with the subject line Security: [short description].

Please include:

  • A description of the vulnerability and the component affected.
  • The URL, endpoint, or repository where you observed it.
  • Steps to reproduce, including any payloads, screenshots, or scripts (text-based proofs are preferred over screen recordings).
  • The impact you believe the vulnerability has.
  • Your name or handle and how you would like to be credited if we publish a fix advisory.

If you cannot reach us by email, see Section 2 below for alternative encrypted reporting channels.

2. Encrypted channels

For sensitive reports we offer the following encrypted-by-default channels. Pick whichever fits your workflow.

  • GitHub Security Advisory (recommended): open a private advisory in the affected repository under github.com/quantumpipes. The report is end-to-end encrypted in transit and at rest by GitHub, scoped to project maintainers, and links cleanly to a CVE on resolution. This is the channel we direct most researchers to.
  • PGP / OpenPGP: a team OpenPGP key for hello@quantumpipes.com is available on request. Email us with the subject line "Security: PGP request" and we will return our current public key, fingerprint, and verification instructions before you send the report. We rotate the key on a published schedule and will pre-share the next key during each transition window.
  • Signed mail: if your client supports it, you may S/MIME-sign your initial email so we can verify the sender on first contact.

Do not send sensitive proof-of-concept material in plaintext if you have a reasonable alternative. If none of the above are workable for you, send a redacted summary by email and we will coordinate a secure handoff before you share the full payload.

3. Scope

In scope:

  • The Site: www.quantumpipes.com and quantumpipes.com.
  • Public source code under github.com/quantumpipes.
  • Public well-known endpoints (/.well-known/security.txt, robots.txt, sitemap-index.xml, llms.txt, llms-full.txt).

Out of scope:

  • Customer or partner deployments of the Quantum Pipes platform. Those are owned by the deploying organization; please report to them directly. We will help relay the report if you cannot identify a contact.
  • Private repositories, internal services, and infrastructure we have not made publicly accessible.
  • Findings that depend on social engineering, physical access, or stolen credentials.
  • Reports that consist only of automated scanner output without a demonstrated security impact.
  • Issues in third-party services we link to.

Examples of issues we typically consider low-priority or out of scope:

  • Missing security headers without a demonstrated exploit. We operate a hardened header set; report deviations only when you can show an impact.
  • Self-XSS, clickjacking on pages with no sensitive state, or login-CSRF on forms that have no authenticated state.
  • Email-spoofing concerns for domains we do not send from.
  • TLS configuration that already matches modern Mozilla SSL "Intermediate" guidance.
  • Reports that require Internet-protocol denial of service (volumetric, SYN flood, etc.) to be exploitable.
  • Disclosure of information that is already public.

4. Rules of engagement

To remain within the safe harbor in Section 6, please:

  • Test only against assets in scope (Section 3).
  • Use only your own accounts. Do not access, modify, or store data that does not belong to you.
  • Stop the moment you confirm a vulnerability. Do not enumerate further.
  • Do not run aggressive automated scanners against production. A handful of confirmed requests is enough to demonstrate impact.
  • Do not perform any action that would degrade availability for other visitors (denial of service, brute force, mass scraping).
  • Do not exfiltrate data beyond the minimum needed to demonstrate the issue. Delete any data you incidentally access.
  • Keep the report private until we have shipped a fix or 90 days have passed since acknowledgment, whichever is earlier. We will work with you on coordinated public disclosure.

5. What you can expect from us

  • Acknowledgment within three (3) business days of your report.
  • Initial triage and severity assignment within seven (7) business days.
  • A clear point of contact for the duration of the report.
  • Honest updates on remediation progress at reasonable intervals.
  • Public credit (with your permission) when we publish the fix advisory.
  • A "thank you" worth giving. We do not currently operate a paid bug bounty, but we will extend recognition, swag where it is meaningful, and a real-human conversation that goes beyond the report.

6. Safe harbor

If you make a good-faith effort to comply with this policy:

  • We will not pursue or support a civil claim, criminal referral, or law-enforcement action against you for security research on in-scope assets.
  • We consider your activity to be authorized for purposes of computer-fraud statutes (including the U.S. Computer Fraud and Abuse Act) and analogous foreign laws, the U.S. Digital Millennium Copyright Act anti-circumvention provisions, and our website Terms of Service.
  • We will work with you to clarify and resolve any inadvertent overstep.

If you are uncertain whether a planned action is in scope, ask first at hello@quantumpipes.com. We would much rather answer a "can I?" than navigate a misunderstanding after the fact.

This safe harbor does not extend to research targeting third parties or to actions that violate this policy. It does not authorize actions prohibited by law where we lack authority to authorize them. Our authorization is limited to the systems we control.

7. Public disclosure

We support coordinated disclosure. After a fix ships we are happy to:

  • Co-author a public advisory or write-up.
  • Add your name (or chosen pseudonym) to the project security advisory, the changelog, and any CVE assigned.
  • Link to your own write-up.

If you intend to present the finding at a conference, we will align fix and advisory timing with the conference timeline.

8. AI-system reports

Quantum Pipes builds AI infrastructure, so a few categories of report deserve specific guidance:

  • Prompt injection and jailbreak findings against our public demonstrations or open-source components are in scope. Include the input, the model or component, and the policy or guardrail you bypassed.
  • Model-output harms (toxicity, bias, hallucination severity) are not vulnerabilities under this policy. We welcome those reports separately at wecare@quantumpipes.com; they will not receive the disclosure-policy timeline above.
  • Capsule, signature, or audit-trail integrity findings (forgery, replay, hash-chain breakage, signature downgrade) are high priority. Please include enough detail for us to reproduce against published test vectors.

9. Contact

Thank you for spending time on this. The work matters.

Questions about this document? Email wecare@quantumpipes.com.

Privacy PolicyTerms of ServiceVulnerability Disclosure