Security

Responsible Disclosure

We take the security of the quiXzoom platform seriously. If you have identified a potential vulnerability, we want to hear from you.

Report a vulnerability

Send details of the vulnerability to our security team. Include a clear description, steps to reproduce, affected component, and potential impact. We treat all reports as confidential.

security@quixzoom.com PGP key available on request. Reference "PGP Request" in your subject line.
48h
Initial response
We acknowledge all reports within 48 hours of receipt.
7d
Triage update
We provide a triage assessment and severity classification within 7 days.
90d
Disclosure window
We aim to remediate and disclose confirmed vulnerabilities within 90 days.

Scope

The following are in scope for responsible disclosure:

  • www.quixzoom.com and all subdomains
  • app.quixzoom.com (Zoomer and organisation platform)
  • The quiXzoom mobile application (iOS and Android)
  • API endpoints documented at developer.quixzoom.com

Third-party services integrated by quiXzoom (payment processors, identity verification providers, CDN) are not in scope. Please report those directly to the respective vendor.

Safe harbour

No legal action against good-faith researchers

quiXzoom will not initiate legal proceedings against security researchers who identify and report vulnerabilities in accordance with this policy. Good-faith research that avoids user data exposure, system disruption, or privacy violations is protected.

Confidential handling

We will not share your identity or contact details with any third party without your explicit consent, except where required by law. Reports are handled by the security team only.

What is excluded from safe harbour

Vulnerability research that involves accessing, modifying, or exfiltrating user data; disrupting platform availability; or social engineering of quiXzoom staff is not covered by this policy and may be subject to legal consequences.

Hall of fame

We publicly acknowledge researchers who responsibly disclose verified security vulnerabilities. Acknowledgement is made with the researcher's consent and is listed on our Security and Trust page.

quiXzoom does not operate a formal bug bounty programme at this time. We are grateful to the security community and consider every responsible disclosure a genuine contribution to the safety of our platform and its users.

Expectations for researchers

  • Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue
  • Do not access, modify, or retain user data beyond what is incidentally accessed during testing
  • Do not perform denial-of-service attacks, spam, or social engineering
  • Allow us reasonable time to respond and remediate before public disclosure
  • Act in good faith at all times