Security Disclosure
Responsible Security Disclosure Policy
Last updated: June 27, 2026Quotaflow welcomes responsible disclosure of security vulnerabilities that may affect the confidentiality, integrity, or availability of our systems. This page provides a safe and transparent way to report legitimate vulnerabilities without creating unnecessary operational or legal risk.
Overview
This is a responsible disclosure program, not a public bug bounty. Reports are reviewed based on severity, reproducibility, affected systems, and customer risk.
Security reports may involve account access, workspace isolation, AI gateway routing, usage metadata, quota controls, billing or usage manipulation, injection risks, or infrastructure configuration.
How to report a vulnerability
Send security concerns to security@quotaflow.ai with Security Disclosure in the subject. Include a clear description, affected asset or endpoint, reproduction steps or proof of concept, and the potential impact if exploited.
Where possible, include affected URLs, account or workspace identifiers, timestamps, request IDs, and enough detail for our team to reproduce the behavior without exposing private prompts, secrets, regulated data, or customer confidential content.
Scope
In-scope issues include authentication or authorization bypass, cross-workspace data exposure, unauthorized access to data, privilege escalation, model-route visibility problems, and demonstrable vulnerabilities in Quotaflow-operated production services.
Out-of-scope issues include denial-of-service testing, traffic flooding, automated scanning, mass-reported findings without exploitability, social engineering, physical attacks, and vulnerabilities in third-party services unless directly exploitable in Quotaflow systems.
Rules of engagement
Act in good faith, avoid automated scanning, fuzzing, brute-force attacks, spam workflows, or service disruption, and stop testing once a vulnerability is confirmed.
Do not access, modify, delete, or exfiltrate data that does not belong to you. Testing should be limited to your own account or explicitly authorized environments. If you encounter other customer data, stop and report immediately.
Safe harbor
Quotaflow does not pursue legal action against individuals who follow this policy, act in good faith, avoid privacy violations, avoid data destruction, and avoid service disruption.
This safe harbor applies only to activities conducted within the scope of this policy. Public disclosure should wait until the issue is resolved and a coordinated disclosure timeline is agreed where applicable.
Response expectations
We aim to acknowledge valid, in-scope reports within five business days. Remediation timelines depend on severity, customer risk, and business impact.
We do not guarantee detailed status updates, public recognition, or financial rewards.