← Back to Legal

Vulnerability Disclosure

Last updated: June 2026

QuantCDN takes the security of its products and services seriously. We welcome reports from security researchers, customers, partners and members of the public about security vulnerabilities you identify in the software we publish and the services we operate.

This statement explains what is in scope, how to report a vulnerability to us, the rules we ask you to follow, and the protections we offer you when you act in good faith. We are grateful to everyone who takes the time to help us keep QuantCDN secure.

Scope

This program covers vulnerabilities in:

  • the QuantCDN platform and services we operate, including the QuantCDN content delivery and hosting platform, the customer portal, QuantGov Cloud, and our internet-facing assets (for example, quantcdn.io and associated services);
  • the source code we publish, in our public repositories under github.com/quantcdn; and
  • the artifacts we publish and maintain, including QuantCDN-owned container and base images, packages and command-line tools.

The following are out of scope:

  • Customer websites, applications and content hosted on QuantCDN. QuantCDN is a platform provider, and customer workloads are isolated on our platform. A vulnerability in a customer’s own site, application or content is the responsibility of that customer, not QuantCDN. If you believe you have found such an issue, please report it to the site owner. If you are unsure, you may contact us and we will, where we can, help direct your report to the right party.
  • End-of-life components we publish deliberately for compatibility. We knowingly publish and support some older components (for example, PHP 7.4) so that customers who require them can continue to operate. Where a component’s end-of-life status is a deliberate, documented decision on our part, it is not treated as a vulnerability. Genuine, exploitable vulnerabilities in those components are, however, in scope.
  • Third-party services we do not operate, even where they are linked from or integrated with our services.

If you are not sure whether something is in scope, contact us at security@quantcdn.io and ask.

How to report a vulnerability

Please report vulnerabilities to us through one of these channels:

  • Emailsecurity@quantcdn.io, for vulnerabilities in the QuantCDN platform, services and internet-facing assets. If your report is sensitive, email us first and we will provide a means to share it securely.
  • GitHub Private Vulnerability Reporting — for vulnerabilities in our published source code and artifacts. Use the “Report a vulnerability” option in the Security tab of the affected repository under github.com/quantcdn.

To help us respond quickly, please include:

  • the affected product, service, repository or URL;
  • the type of vulnerability and what an attacker could do with it;
  • clear, reproducible steps or a proof of concept; and
  • any relevant version or configuration details.

Please do not include real customer data or personal information in your report. A description or a redacted example is sufficient.

We will never require you to sign a non-disclosure agreement as a condition of submitting or progressing a report.

Rules of engagement

So that we can protect our customers and so that your research stays within the safe harbour below, we ask that you follow these rules.

You may:

  • test only the systems, products and services listed as in scope above;
  • do only the minimum testing needed to find and demonstrate a vulnerability, and stop as soon as you have confirmed it; and
  • report what you find to us promptly and directly.

Please do not:

  • access, change, delete or download data that is not yours, beyond the minimum needed to demonstrate the issue;
  • disrupt or degrade our services, including any form of denial-of-service (DoS/DDoS) or high-volume testing;
  • use social engineering, phishing, or physical attacks against our people, customers or premises;
  • test, or attempt to pivot into, customer websites, applications or content hosted on our platform;
  • disclose the vulnerability publicly or to anyone else before we have resolved it and agreed the disclosure with you; or
  • break any applicable law or invade anyone’s privacy.

Safe harbour

If you make a good-faith effort to comply with this statement during your research, we will consider your activity to be authorised, and:

  • we will not initiate or recommend legal action against you in connection with that research, including under computer-misuse laws or terms of service that would otherwise prohibit it;
  • we will work with you to understand and resolve the issue quickly; and
  • if a third party (for example, an affected customer) brings legal action against you for activity that complied with this statement, we will take reasonable steps to make known that your activity was authorised under it.

This protection applies only to activity that complies with this statement. It does not authorise activity that is in bad faith, that breaches the rules of engagement, or that is unlawful. If you are unsure whether something is permitted, ask us first at security@quantcdn.io — we would rather you ask than risk falling outside this protection.

What you can expect from us

When you report a vulnerability to us, we will:

  • acknowledge your report within 3 business days;
  • triage and validate it, and assess its severity using the Common Vulnerability Scoring System (CVSS);
  • keep you informed of our progress and of when we expect to resolve the issue;
  • remediate confirmed vulnerabilities as quickly as we reasonably can, prioritised by severity; and
  • credit you for your discovery if you would like to be recognised.

We treat every report seriously and we treat reporters acting in good faith as valued contributors to the security of our products and services.

If your report duplicates one we already hold, or concerns an issue we have already mitigated or have formally accepted (for example, a deliberately-published end-of-life component), we will tell you and close it as a duplicate or known issue. If we disagree about whether something is a valid vulnerability, or about its severity, our CISO makes the final decision.

Coordinated disclosure

We follow a coordinated disclosure approach. We will work with you to fix the vulnerability and to agree when and how it is disclosed publicly. Our usual approach is to disclose once a fix or mitigation is available, and within 90 days of validating your report, unless we agree a different timeframe with you or circumstances require otherwise (for example, if the issue is being actively exploited or affects multiple vendors).

If we cannot agree on the timing, we may set the disclosure date based on the risk to our customers and systems, and we will give you reasonable notice before we publish.

We ask that you do not disclose the vulnerability publicly until we have coordinated the disclosure with you.

When we publish, we issue an advisory through GitHub Security Advisories that, where applicable, includes a Common Weakness Enumeration (CWE) identifier, a Common Platform Enumeration (CPE) identifier and the affected and fixed versions, a CVSS score, and a CVE identifier.

This is not a bug bounty

This is a vulnerability disclosure program, not a bug bounty program. We do not offer monetary rewards for vulnerability reports. We do, however, genuinely value your contribution and are happy to acknowledge it publicly if you would like us to.

Recognition

If you report a valid vulnerability and would like to be recognised, let us know and we will credit you — for example, in the relevant security advisory. If you would prefer to remain anonymous, we will respect that. Thank you for helping keep QuantCDN and its customers secure.