“ An essential aspect of creativity is not being afraid to fail. ”
—Edwin Land
 

Responsible disclosure

No technology is perfect, and Quby believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe that you've found a security issue in our product or service, we encourage you to notify us. We welcome the opportunity to work with you to resolve the issue promptly.

Disclosure Policy

  • Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.
  • Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • If you discover a weakness and investigate it, you might perform actions that are punishable by law. If you observe the rules for reporting weaknesses in our IT systems, we will not report your offence to the authorities and will not submit a claim.


It is important for you to know, however, that the public prosecutor’s office – not Quby – will decide whether or not you will be prosecuted, regardless of whether we report your offence to the authorities. We cannot promise that you will not be prosecuted if you commit a punishable offence when investigating a weakness.

Scope
The scope is as far as you can reach as all of the Quby products are within scope.  Vulnerabilities reported are currently reviewed on a case-by-case basis. However, please read on for our “non-qualifying vulnerabilities.”

Non-qualifying Vulnerabilities
Please refrain from accessing private information (so use test accounts), performing actions that may negatively affect users (spam, denial of service), or sending reports from automated tools without verifying them.

The following issues are outside the scope of our vulnerability rewards program (either ineligible or false positives):

  • Attacks requiring physical access to a user's device and others such as office access (e.g. open doors, tailgating)
  • Password and account recovery policies, such as reset link expiration or password complexity
  • Invalid or missing SPF (Sender Policy Framework) records
  • Bypass of URL malware detection
  • Vulnerabilities only affecting users of outdated or unpatched browsers and platforms
  • Social engineering of Quby staff or contractors
  • Any physical attempts against Quby property or data centers
  • UI and UX bugs and spelling mistakes
  • Network level Denial of Service (DoS/DDoS) vulnerabilities


How to Report a Vulnerability
Quby uses a third party to help us validate and manage suspected vulnerabilities.
You can report your discovery here.
Please include the following details with your report:

  • Description of the location and potential impact of the vulnerability;
  • A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful to us); and
  • Your name/handle and a link for recognition in our Hall of Fame.


Thank you for helping keep Quby and our users safe.