Skip to content

Security disclosure

How to report vulnerabilities in QuantZK protocol software, the verifier API, and production deployments.

Scope

In scope

  • api.quantzk.com verifier API (billing attest/verify, VDI endpoints)
  • Cryptographic implementations (protocol/packages/*, circuits, artifact manifests)
  • Production configuration that affects billing integrity or attestation verification
  • quantzk.com / quantzk.com/docs when the issue enables compromise of user data or billing proofs

Out of scope

  • Social engineering, physical attacks, denial-of-service without a reproducible flaw
  • Issues in third-party services (Railway, Netlify, Stripe) unless caused by our misconfiguration
  • Theoretical attacks requiring broken cryptography (we assume standard hardness assumptions)
  • Findings in unmaintained markdown_files/ or public/legacy-* content not served in production

How to report

  1. Do not open a public GitHub issue for security vulnerabilities.
  2. Email security@quantzk.com with:
    • Description and impact
    • Steps to reproduce (HTTP requests, test vectors, or commit SHA)
    • Affected component (API route, circuit ID, package name)
    • Suggested fix (optional)
  3. Encrypt sensitive details if needed — request a PGP key in your initial email.

We will acknowledge receipt and coordinate disclosure timing with you.

Response targets

SeverityExamplesTarget first response
CriticalKey material leak, proof forgery, billing bypass24 hours
HighReplay bypass, artifact substitution at boot, auth bypass on attest72 hours
MediumInformation disclosure, misconfiguration defaults1 week
LowHardening, non-exploitable crashes2 weeks

Targets are goals, not guarantees. Complex crypto issues may need more time.

Safe harbor

We support good-faith security research on in-scope systems. Do not access customer data, disrupt production, or exceed what is needed to demonstrate impact. We will not pursue legal action against researchers who follow this policy.

What we publish

  • Confirmed fixes and advisory summaries (when appropriate)
  • Updated artifact manifests and conformance vectors when crypto artifacts rotate
  • No attribution without your consent

Contact: security@quantzk.com

Verification keys are embedded in attestations. The verifier is open source.