Trust center

Responsible Disclosure

Qubicbox partners with researchers to keep the ecosystem calm and safe. If you discover a vulnerability, follow the policy below and reach our TrustOps team directly.

Responsible disclosure desk

responsible@qubicbox.com

PGP available on request

Principles

How to engage

Act in good faith and avoid privacy violations, service disruption, or accessing data beyond what is necessary to demonstrate the issue.
Give us reasonable time to remediate before you disclose publicly. We aim to acknowledge within 48 hours and provide fixes within 30 days.
Do not modify or destroy data. If you encounter customer information, stop and notify us immediately.
Never exploit a vulnerability beyond the minimal proof-of-concept needed for your report.
Use only your own accounts when testing authentication or authorisation boundaries.

Process

What to include

Description: clear summary of the impact, the affected product, and why it matters.
Steps: reproducible steps or proof-of-concept that demonstrate the issue calmly without harming data.
Environment: browser, device, API path, and any headers or payloads involved.
Contact: how we can follow up and whether public credit is desired.

In scope

Qubicbox marketing properties (qubicbox.com, *.qubicbox.com)
Qubicweb intelligence portal and E-Fraud Watch surfaces
Qlutterbox and Qubictry preview environments when credentials are provided
Trust badge routes, endpoints, and badge APIs

Out of scope

Social engineering against Qubicbox staff, partners, or customers
Physical attacks or device theft
Automated scans that degrade service availability
Findings that rely on compromised third-party systems outside our control

Next steps

We acknowledge valid submissions within 48 hours and provide a fix timeline shortly after triage.

If you need a secure file exchange space, request it in your initial email and we will provision one-time upload links.

Return to Trust Centre