Coordinated Vulnerability Disclosure Policy

At Quanza, we work hard to keep the digital infrastructure of our customers — including vital and mission‑critical networks — secure, reliable, and resilient. No system is ever perfect, and security researchers play an essential role in helping us improve. We genuinely appreciate the time, expertise, and effort researchers invest in reporting vulnerabilities responsibly.

By working together, we can protect our customers, contribute to a safer internet, and strengthen the security of the wider community. This policy explains how you can report security vulnerabilities to us and what you can expect in return.

How to Report a Vulnerability

You can report a (suspected) vulnerability using:

Email: cvd@quanza.net

Please include, if possible:

• A clear description of the vulnerability
• The affected system, service, or URL
• Steps to reproduce the issue
• The potential impact
• Relevant evidence (screenshots, logs, PoC snippets)
• Your contact details (optional)

You may report anonymously if you prefer.

What You Can Expect from Quanza

• We acknowledge your report within two business days.
• We investigate the issue and may contact you for more information.
• We keep you updated on significant progress.
• We notify you when the issue has been fixed or sufficiently mitigated.
• We actively support coordinated public disclosure once the issue is resolved.
• We may publicly thank you (unless you prefer to remain anonymous).

We currently do not operate a bug bounty program. Any reward is discretionary and not guaranteed.

Safe Harbour

We will not take legal action against researchers who act in good faith and:

• Do not cause damage or service disruption
• Do not access, modify, copy, or delete data beyond what is strictly necessary to demonstrate the issue
• Do not misuse obtained information
• Refrain from publicly disclosing details before coordinated resolution
• Operate within the spirit of this CVD policy

If you're unsure whether something is allowed, contact us — we’re happy to advise.

Please Avoid

To protect our services and customers, please avoid:

• Social engineering (phishing, impersonation, vishing, etc.)
• DDoS or resource exhaustion attacks
• Malware, ransomware, or destructive tooling
• Brute-force attacks
• Accessing personal or customer data unnecessarily
• Damaging physical systems or infrastructure

Coordinated Disclosure

We are committed to responsible disclosure and are happy to collaborate on public write-ups or advisories once the issue is mitigated.

Where a vulnerability has a clear public or societal benefit in disclosure, we support responsible publication after mitigation. If third parties (such as customers or suppliers) are affected, we coordinate with them as well.

Thank You

Your contribution helps protect critical infrastructure and strengthens cybersecurity for everyone. Thank you for helping make the internet a safer place.

If you have questions about this policy, contact us at cvd@quanza.net.