Responsible disclosure

Reporting a vulnerability

If you believe you've found a security vulnerability in any Qores property or product, please email us at security@qores.studio. Include enough detail for us to reproduce the issue — affected URL or component, a description of the vulnerability, and step-by-step reproduction notes or a proof of concept where possible.

Our commitment

• We'll acknowledge your report as quickly as we can.
• We'll keep you updated as we investigate and work toward a fix.
• We won't pursue legal action against researchers who act in good faith and follow this policy.
• With your permission, we're happy to credit you once the issue is resolved.

Please do

• Give us a reasonable amount of time to investigate and remediate before any public disclosure.
• Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
• Only interact with accounts you own or have explicit permission to test.

Please don't

• Run automated scanners that degrade or disrupt our services.
• Access, modify, or delete data that doesn't belong to you.
• Use social engineering, phishing, or physical attacks against our team or infrastructure.

Machine-readable policy

A security.txt file following RFC 9116 is published at /.well-known/security.txt and points to security@qores.studio.