Vulnerability disclosure

How to report a security vulnerability in The Quantum Club, what is in scope, and what to expect when you do — our coordinated disclosure policy and safe-harbor commitment.

The Quantum Club runs a coordinated vulnerability disclosure (VDP) program. If you have found a security issue, we want to hear about it — and we commit to working with you in good faith to resolve it.

How to report

Email security@thequantumclub.com with enough detail to reproduce the issue: the affected URL or endpoint, a description of the vulnerability, and the steps, payloads, or proof-of-concept needed to confirm it. Our machine-readable contact is published at /.well-known/security.txt (RFC 9116).

Warning

Report privately

Please report privately by email. Do not open public issues, post details on social media, or disclose the vulnerability to third parties before we have had a chance to remediate.

What to expect

Acknowledgement within 3 business days.
Triage and a severity assessment within 10 business days, with a path to resolution and an estimated timeline.
Coordinated disclosure — we will agree a disclosure date with you once a fix is shipped. We are happy to credit you (or keep you anonymous, your choice).

Safe harbor

We will not pursue or support legal action against researchers who, in good faith:

make a genuine effort to avoid privacy violations, data destruction, and service degradation;
only access the minimum data necessary to demonstrate a vulnerability;
do not exploit an issue beyond what is needed to prove it, and do not exfiltrate, retain, or share data;
give us reasonable time to remediate before any public disclosure.

Activity conducted consistent with this policy is considered authorized, and we will treat it as such.

In scope

os.thequantumclub.com (the Club OS application)
docs.thequantumclub.com (this documentation site)
The public API surface documented under API
SCIM and SSO provisioning endpoints

Out of scope

Findings that require a compromised device, rooted/jailbroken environment, or a man-in-the-middle position you control
Volumetric denial-of-service, rate-limit exhaustion, or load testing
Social engineering of staff, members, or partners; physical attacks
Reports from automated scanners without a demonstrated, exploitable impact
Missing security headers or best-practice recommendations with no concrete attack
Vulnerabilities in third-party services we do not operate

Rewards

This is a coordinated-disclosure program, not a paid bug bounty. We recognize researchers with public credit and, at our discretion, may offer tokens of thanks for high-impact reports.

Updated 14 June 2026 · 2 min read

Was this useful?

How to report

Warning

Report privately

Please report privately by email. Do not open public issues, post details on social media, or disclose the vulnerability to third parties before we have had a chance to remediate.

What to expect

Acknowledgement within 3 business days.
Triage and a severity assessment within 10 business days, with a path to resolution and an estimated timeline.
Coordinated disclosure — we will agree a disclosure date with you once a fix is shipped. We are happy to credit you (or keep you anonymous, your choice).

Safe harbor

We will not pursue or support legal action against researchers who, in good faith:

make a genuine effort to avoid privacy violations, data destruction, and service degradation;
only access the minimum data necessary to demonstrate a vulnerability;
do not exploit an issue beyond what is needed to prove it, and do not exfiltrate, retain, or share data;
give us reasonable time to remediate before any public disclosure.

Activity conducted consistent with this policy is considered authorized, and we will treat it as such.

In scope

os.thequantumclub.com (the Club OS application)
docs.thequantumclub.com (this documentation site)
The public API surface documented under API
SCIM and SSO provisioning endpoints

Out of scope

Findings that require a compromised device, rooted/jailbroken environment, or a man-in-the-middle position you control
Volumetric denial-of-service, rate-limit exhaustion, or load testing
Social engineering of staff, members, or partners; physical attacks
Reports from automated scanners without a demonstrated, exploitable impact
Missing security headers or best-practice recommendations with no concrete attack
Vulnerabilities in third-party services we do not operate

Rewards

This is a coordinated-disclosure program, not a paid bug bounty. We recognize researchers with public credit and, at our discretion, may offer tokens of thanks for high-impact reports.

Updated 14 June 2026 · 2 min read

Was this useful?

Vulnerability disclosure

How to report

What to expect

Safe harbor

In scope

Out of scope

Rewards

On this page

Vulnerability disclosure

How to report

What to expect

Safe harbor

In scope

Out of scope

Rewards

On this page