Security

Responsible disclosure policy

If you found a vulnerability in QuantumScan — in the platform, the API or scanner-core — we want to know. We take security seriously and act fast.

📬

How to report: Send an email to security@quantumscan.io with a detailed description, reproduction steps and estimated impact. We respond within 48 business hours.

✔

We promise: We will not take legal action against researchers who act in good faith and follow this policy. Your name or handle in our acknowledgements, if you wish.

Scope

✅

In scope

quantumscan.io (production)
API /api/* and serverless functions
Authenticated dashboard
Scanner-core engine (public repo)
Customer data leakage
Privilege escalation
SSRF / RCE / SQLi / Persistent XSS

🚫

Out of scope

DDoS attacks
Social engineering
Clickjacking without practical impact
Automated scanner results without PoC
Known third-party dep vulnerabilities (public CVEs)

Our security practices

🔐

Encryption at rest and in transit

Neon database with TLS. BYOK keys encrypted with AES-256-GCM before saving. No customer key appears in logs.

🛡️

Authentication via Clerk

OAuth 2.0 (Google) + Magic Link. Sessions with automatic token rotation. MFA available for all plans.

📋

Full audit log

Every sensitive action (scan, export, delete, settings) is logged with IP, user-agent and integrity hash. Exportable in 1 click via GDPR panel.

🔍

Principle of least privilege

GitHub/GitLab tokens with minimum read scope. We never write to the customer's repository (except PR bot, with explicit installation permission).

Disclosure history

No critical vulnerabilities reported to date. This section will be updated as findings are resolved and responsibly disclosed.

Found something?

Report privately. We act within 48 business hours.

security@quantumscan.io

← Back to home