Reporting a vulnerability
Email support@quantumcryptorisk.com with subject line Security Report. Include reproduction steps, the exact URL or endpoint, and any output that demonstrates the issue. A PGP key for encrypted reports will be published here shortly; until then, please omit sensitive proof-of-concept payloads from initial email and we will move you to an encrypted channel.
In scope / out of scope
In scope. Vulnerabilities in the QuantumCryptoRisk web application, our public API endpoints, and our authentication or payments flow that could compromise user data, credits, or account integrity.
Out of scope.
- Denial-of-service or resource-exhaustion testing.
- Automated scanner output without a working proof of concept.
- Social engineering of our staff or contributors.
- Issues in third-party services we depend on — report those to the vendor.
- Missing rate limits on unauthenticated marketing endpoints.
Our response commitments
- Acknowledgement within two business days.
- Initial triage and severity within five business days.
- Remediation timeline shared with you and updated as it changes.
- Public disclosure only after a fix is deployed, or after 90 days if no fix is possible — whichever comes first — and always coordinated with you.
Safe harbor
We will not pursue civil or criminal action against researchers who make a good-faith effort to comply with this policy, avoid privacy violations and destruction of data, and give us reasonable time to remediate before public disclosure.
Credit and rewards
We do not currently run a paid bug-bounty programme. We credit reporters by name (or by handle at your preference) on this page after remediation.
If you think user funds are at risk
QuantumCryptoRisk does not custody user funds and cannot move anyone's cryptocurrency. If you believe a wallet is at active risk of theft, the safest actions are on the wallet owner's side — see the guidance on the Wallet Scanner and Quantum-safe wallets pages.