Security disclosure
How to report vulnerabilities in QuantZK protocol software, the verifier API, and production deployments.
Scope
In scope
api.quantzk.comverifier API (billing attest/verify, VDI endpoints)- Cryptographic implementations (
protocol/packages/*, circuits, artifact manifests) - Production configuration that affects billing integrity or attestation verification
quantzk.com/quantzk.com/docswhen the issue enables compromise of user data or billing proofs
Out of scope
- Social engineering, physical attacks, denial-of-service without a reproducible flaw
- Issues in third-party services (Railway, Netlify, Stripe) unless caused by our misconfiguration
- Theoretical attacks requiring broken cryptography (we assume standard hardness assumptions)
- Findings in unmaintained
markdown_files/orpublic/legacy-*content not served in production
How to report
- Do not open a public GitHub issue for security vulnerabilities.
- Email security@quantzk.com with:
- Description and impact
- Steps to reproduce (HTTP requests, test vectors, or commit SHA)
- Affected component (API route, circuit ID, package name)
- Suggested fix (optional)
- Encrypt sensitive details if needed — request a PGP key in your initial email.
We will acknowledge receipt and coordinate disclosure timing with you.
Response targets
| Severity | Examples | Target first response |
|---|---|---|
| Critical | Key material leak, proof forgery, billing bypass | 24 hours |
| High | Replay bypass, artifact substitution at boot, auth bypass on attest | 72 hours |
| Medium | Information disclosure, misconfiguration defaults | 1 week |
| Low | Hardening, non-exploitable crashes | 2 weeks |
Targets are goals, not guarantees. Complex crypto issues may need more time.
Safe harbor
We support good-faith security research on in-scope systems. Do not access customer data, disrupt production, or exceed what is needed to demonstrate impact. We will not pursue legal action against researchers who follow this policy.
What we publish
- Confirmed fixes and advisory summaries (when appropriate)
- Updated artifact manifests and conformance vectors when crypto artifacts rotate
- No attribution without your consent
Related resources
- Security model — threat model and assumptions
- Billing v2 attack matrix — expected fail-closed behaviors
- Artifact hash commands — reproduce pins locally
- NCC / third-party review — auditor entry points
Contact: security@quantzk.com
