Reporting a vulnerability
Security reports should be sent to info@quotr.ai.
Please include:
- A clear description of the issue
- Steps to reproduce
- Affected URLs, accounts, or endpoints
- Potential impact
- Screenshots, logs, or proof-of-concept details if helpful
- Your preferred contact information for follow-up
Responsible testing guidelines
Researchers should:
- Test only against their own account or data
- Avoid accessing, modifying, deleting, or exfiltrating data that is not theirs
- Avoid service disruption or degradation
- Avoid automated high-volume scanning
- Avoid social engineering, phishing, spam, or physical attacks
- Avoid attacks against employees, users, vendors, or third-party services
- Stop testing and contact us immediately if they encounter sensitive data
Out of scope
The following are generally out of scope:
- Missing security headers without demonstrated practical impact
- Clickjacking on pages without sensitive actions
- SPF/DKIM/DMARC issues without demonstrated impact
- Rate limiting issues without meaningful security impact
- Reports from automated scanners without validation
- Vulnerabilities in third-party services not controlled by Quotr
- Denial-of-service or resource exhaustion attacks
- Social engineering or phishing attempts
Disclosure expectations
If you plan to publish information about an issue, contact us privately first and give us reasonable time to review and fix it before sharing details more widely. Those reports are usually easiest for us to prioritize and follow up on.
We appreciate responsible reports that help protect our services and customers.