Security Disclosure

We welcome coordinated disclosure of vulnerabilities affecting the QSG service. Safe harbor applies to good-faith research.

How to Report

Please include: a clear description, reproduction steps, observed vs expected behavior, and the impact assessment. We treat all reports as confidential until coordinated publication.

Safe Harbor

When conducting security research under this policy, we will not pursue legal action against you for the act of testing, provided that:

We commit to working with researchers in good faith, providing timely triage, and crediting researchers (with consent) in the security advisory when a fix ships.

Cryptographic Posture

The service is built on the following primitives. Detailed parameter sets and module boundaries are in the Cryptography page.

Scope

In scope:

Out of scope:

Recognition

Researchers who report valid vulnerabilities and consent to attribution are listed in our security acknowledgments page. The first release of that page will be published once we have at least three independent researcher reports. Thank you for helping keep the service secure.

Full policy

Canonical machine-readable disclosure policy.