Security
Report vulnerabilities and contact our security team
Security Contact
Response Time
Within 48 hours
PGP Encryption
For encrypted communications, use our PGP public key:
Fingerprint: [Contact security@qryptonic.com to request]
Key available at: /.well-known/security.txt
Vulnerability Disclosure Policy
We value the security research community and welcome responsible disclosure of vulnerabilities. If you believe you have found a security vulnerability in our systems, we encourage you to report it to us.
In Scope
- qryptonic.com and *.qryptonic.com
- Client portal and authenticated services
- API endpoints
- Authentication and authorization issues
- Data exposure or leakage
- Cross-site scripting (XSS) and injection vulnerabilities
Out of Scope
- Social engineering attacks (phishing, vishing)
- Denial of service (DoS/DDoS) attacks
- Physical security attacks
- Third-party services and applications
- Vulnerabilities requiring physical access
- Spam or email configuration issues (SPF/DKIM/DMARC)
How to Report
When reporting a vulnerability, please include:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Proof of concept (if available)
- Your contact information for follow-up
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:
- Report vulnerabilities promptly and in good faith
- Avoid privacy violations, data destruction, and service disruption
- Do not access or modify data belonging to others
- Give us reasonable time to address the issue before disclosure
Recognition
We appreciate the efforts of security researchers in helping us maintain the security of our systems. Valid reporters may be recognized in our security acknowledgments (with permission).
Note: Qryptonic does not currently operate a paid bug bounty program. Recognition is provided on a case-by-case basis.