We welcome coordinated disclosure of vulnerabilities affecting the QSG service. Safe harbor applies to good-faith research.
Please include: a clear description, reproduction steps, observed vs expected behavior, and the impact assessment. We treat all reports as confidential until coordinated publication.
When conducting security research under this policy, we will not pursue legal action against you for the act of testing, provided that:
We commit to working with researchers in good faith, providing timely triage, and crediting researchers (with consent) in the security advisory when a fix ships.
The service is built on the following primitives. Detailed parameter sets and module boundaries are in the Cryptography page.
In scope:
api.quantumsecuregateway.com endpoints (POST /v1/entropy, POST /v1/verify, GET /v1/audit/:id, GET /health, POST /auth/request-access)Out of scope:
Researchers who report valid vulnerabilities and consent to attribution are listed in our security acknowledgments page. The first release of that page will be published once we have at least three independent researcher reports. Thank you for helping keep the service secure.
Canonical machine-readable disclosure policy.