Security disclosure
We honor coordinated disclosure. If you believe you've found a vulnerability in any 4 Qubits surface (portal, the gated apps, the Decision Ledger, the public verifier, the SDK, or the air-gapped Vault verifier), please email us before publishing.
Coordinated disclosure
security.txt (RFC 9116)
Languages
English
Acknowledgments
We publicly credit researchers who follow coordinated disclosure (with permission) on this page.
In scope
*.4qubits.com (portal, app, trust, govern, www); 4 Qubits SDK packages; air-gapped Vault verifier.
Out of scope
Third-party services (Cloudflare, Azure, Microsoft Entra), SPF/DMARC misconfigurations not affecting auth, social-engineering, denial of service, automated scanning rate-limits.
What to include
- Affected surface (URL, package, or binary)
- Reproduction steps; minimal proof of concept
- Impact assessment (confidentiality / integrity / availability)
- Whether the issue is already public or known to a third party
Response
We acknowledge receipt within one business day, provide a triage assessment within five business days, and target remediation timelines based on severity. We do not pay bounties at this time but we publicly credit researchers who follow coordinated disclosure.