Security Policy

Last updated: 2026-05-04

We take the security of QuantLogix and our users seriously. This page describes how to report a vulnerability and what you can expect from us in return.

Reporting a vulnerability

If you believe you've found a security issue affecting QuantLogix, please email support@quantlogix.ai with the subject line Security Report. Include:

The vulnerability class (e.g. authentication bypass, IDOR, XSS, info disclosure, misconfiguration)
A CVSS 3.1 estimate or impact summary
Reproduction steps with the exact URL(s), request payloads, and any responses that demonstrate the issue
Your name or handle (only if you'd like public credit)

Reports without specific reproduction details cannot be triaged. We do not respond to vague "I found something, send me your secure portal" inquiries.

What we commit to

Acknowledge your report within 5 business days.
Triage within 14 business days and tell you whether the report is in-scope.
Fix in-scope critical and high-severity findings as quickly as we can — typically within 30 days, often sooner.
Credit you publicly (with your permission) when the fix ships, if you'd like recognition.

What is in scope

quantlogix.ai and its API endpoints (/api/*)
quantlogix.co (alias) and www.quantlogix.*
Authentication / authorization issues affecting user accounts, billing, or data access
Server-side request forgery, SQL/NoSQL injection, cross-site scripting in our hosted markup
Cryptographic flaws in our webhook signature verification or session handling

What is NOT in scope

Issues in third-party services (Vercel, Clerk, Stripe, Plaid, Supabase, Polygon, Databento) — please report those to the vendor directly
Reports from automated scanners with no proof of exploitability
Missing security headers without a demonstrated impact (e.g. "no X-Frame-Options" — we already set it)
Self-XSS, social engineering, or physical attacks
Rate-limiting or DoS vectors that depend on resources beyond a single user's account
Email spoofing reports based solely on missing SPF/DMARC strict mode (we use Resend's authenticated domain)

Bug bounty

No monetary bounty program

QuantLogix does not currently operate a paid bug bounty program. We do not pre-commit to financial rewards. We do appreciate responsible disclosure and we'll publicly credit researchers (with your permission) on this page when their reports lead to a shipped fix.

We do not respond to "beg-bounty" requests demanding payment or a "secure portal" before disclosure of technical details. Please send the technical details first; payment discussions, if any, follow.

Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will not pursue legal action against you. Specifically:

Do not access, modify, or delete data belonging to other users
Do not disrupt service availability for our users
Do not exfiltrate more data than is strictly necessary to demonstrate the issue
Notify us promptly and give us a reasonable window (≥30 days) before public disclosure

Contact

Email: support@quantlogix.ai
Machine-readable: /.well-known/security.txt