Responsible Disclosure Policy

The Quantum team and community strive to provide products that are free of bugs that would impact the privacy and security of your data and resources. We are dedicated to maintain responsible disclosure and make every effort to close any gaps found within our platform or product that is within our scope to correct. We appreciate the dedication and effort to responsibly disclose security findings, and will make every effort to acknowledge contributors.

To report a security issue, email security.oss@quantum.security and include the word "SECURITY" in the subject line.

The Quantum team will respond in acknowledgement of your report. After the initial reply to your report, the security team will investigate and provide updates towards the resolution and a timeline regarding a full announcement. We may ask for additional information or guidance so please be sure to include a way to contact you.

Report security bugs in third-party modules to the person or team maintaining the module. You may also report a vulnerability through the various package registries' responsible reporting processes.

Disclosure Policy

When Quantum's security team receives a security bug report, they will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

• Confirm the problem and determine the affected versions.
• Audit code to find any potential similar problems.
• Prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible to the project(s) respective package registries.

Comments on this Policy

If you have suggestions on how this process could be improved please submit a pull request.