qortrace-security-v1.0ACTIVESECURITY · DISCLOSURE · LAST UPDATED FEBRUARY 2026

Security & Responsible Disclosure

QorTrace is a cryptographic-risk product, so we hold ourselves to a high security bar. We welcome reports from the security community and commit to working in good faith with researchers who help us keep QorTrace safe.

2dACK SLA·
5dTRIAGE SLA·
24hCRITICAL FIX SLA·
1.0POLICY VERSION

Crypto-grade security bar

QorTrace is a cryptographic-risk product, so we hold ourselves higher than typical SaaS. Every admin role requires hardware-backed TOTP 2FA.

Safe harbor

We will not pursue civil or criminal action against good-faith researchers who follow this policy. We will work with you on coordinated disclosure.

Triage in 5 business days

We acknowledge reports within 2 business days and provide a triage decision within 5. Fix windows depend on severity — Critical = 24h, High = 7d, Medium = 30d.

Hall of Fame & swag

Valid, novel reports get permanent listing in our Researcher Hall of Fame on this page (with your consent). Standout reports get QorTrace-branded gear shipped worldwide.

QorTrace is a cryptographic-risk product, so we hold ourselves to a high security bar. We welcome reports from the security community and commit to working in good faith with researchers who help us keep QorTrace safe.

1. Reporting a vulnerability

Email security@qortrace.com with a clear write-up of the issue, reproduction steps, affected URLs or endpoints, and any proof-of-concept code. Encrypt sensitive details with our PGP key:

We acknowledge reports within 2 business days and provide a triage decision within 5 business days.

2. Safe harbor

We will not pursue civil or criminal action against researchers who:

  • Make a good-faith effort to comply with this policy.
  • Avoid privacy violations, destruction of data, or interruption / degradation of the Service.
  • Only interact with accounts they own or have explicit permission from the account holder to access.
  • Stop testing as soon as the vulnerability is identified and provide us a reasonable time to remediate before public disclosure.

3. In scope

  • The QorTrace web application at qortrace.com and *.qortrace.com.
  • The QorTrace API at api.qortrace.com and qortrace.com/api.
  • Customer-facing audit certificates and verification endpoints.

4. Out of scope

  • Findings that require physical access, social engineering of QorTrace staff, or denial-of-service techniques.
  • Reports based solely on automated scanner output without a working proof-of-concept.
  • Best-practice configuration suggestions without a concrete impact (e.g. missing HSTS preload, weak ciphers in non-customer-facing internal tooling).
  • Vulnerabilities in third-party services (Stripe, Cloudflare, Resend, etc.) — please report those directly to those providers.
  • Spam, content-injection, or self-XSS that requires the victim to paste attacker-controlled code into devtools.

5. What we ask you NOT to do

  • Do not access, modify, or delete data that does not belong to you.
  • Do not run automated load tests, scraping at scale, or fuzzing against production.
  • Do not publicly disclose findings before we’ve remediated.

6. Recognition

With your permission, we publicly credit researchers who report valid, in-scope issues on a hall-of-fame page after remediation. QorTrace does not currently operate a paid bug-bounty program but we may award discretionary bounties or merch for impactful reports.

7. PGP & security.txt

Both the RFC 9116 /.well-known/security.txt and our PGP public key are published at the canonical paths above. If you find a discrepancy between this page and security.txt, the latter is authoritative.

8. Contact

Reports: security@qortrace.com
Privacy: privacy@qortrace.com
Press & partnerships: press@qortrace.com

Privacy PolicyTerms of ServiceCookie PolicySecurity & Disclosure
Article Feedback

Was this article helpful?