Vulnerability Disclosure Policy

Our Commitment

Security is fundamental to what Quantum Wave Solutions delivers. We take credible reports seriously and treat researchers acting in good faith as partners, not adversaries.

In Scope

The following systems are in scope for this policy:

• https://quantumwave.com.au
• https://www.quantumwave.com.au

Out of Scope

The following are explicitly out of scope. Reports against these will not be acknowledged through this channel:

• Subdomains of quantumwave.com.au (including support.quantumwave.com.au) and any other domain operated by QWS or its customers.
• Customer-deployed Sovereign or Enterprise platforms (including but not limited to Hexlitix and SLDisrupt deployments). These are operated by the customer and require direct authorisation from that customer to test.
• Third-party services we use but do not operate (for example, Microsoft 365, AWS, hosting providers). Report these to the relevant vendor.
• Findings that require physical access, social engineering of QWS personnel or customers, or denial-of-service / volumetric attacks.
• Theoretical or low-impact issues without a demonstrable security consequence (for example, missing security headers without an exploitable path, banner-grab disclosures, or automated scanner output without analysis).
• Issues in third-party browser extensions, password managers, or other software running on the researcher's own machine.

Rules of Engagement

To stay within this policy, please:

• Test only against in-scope systems.
• Stop and report once you have proven a vulnerability — do not exfiltrate, modify, or destroy data.
• Use test accounts where possible. If you encounter another user's data, stop immediately and tell us in your report.
• Do not run automated scanners that generate substantial traffic. Manual or low-volume testing only.
• Do not publicly disclose the vulnerability before we have confirmed remediation, or before 90 days have passed since report — whichever comes first. We will work with you on timing.
• Comply with all applicable laws.

How to Report

Email connect@quantumwave.com.au with the subject line Security Report — VDP.

Please include:

• A clear description of the vulnerability and where it was found.
• Step-by-step reproduction instructions.
• An assessment of impact.
• Any proof-of-concept materials (screenshots, scripts, request/response captures).
• Whether you would like to be credited if we publish a security note, and how.

We do not currently offer encrypted submission via PGP. If you require an encrypted channel, contact us first and we will arrange one.

What You Can Expect From Us

• Acknowledgement within ten (10) Australian business days of receipt.
• Triage — an initial assessment of validity and severity, communicated to you.
• Status updates at reasonable intervals while we investigate and remediate.
• Remediation — a target of ninety (90) days for high-severity issues. Lower-severity issues are scheduled into our normal release cycle. We will tell you if we expect to need longer.
• Credit — if you wish, we will publicly acknowledge your contribution once the issue is resolved.

Safe Harbour

If you make a good-faith effort to comply with this policy:

• QWS will not pursue civil action against you, or refer you for criminal prosecution, for activity that complies with this policy.
• We grant you authorisation to access and test the in-scope systems for the limited purpose of identifying and reporting security vulnerabilities, and we waive any restrictions in our Terms of Service that would otherwise prohibit conduct consistent with this policy. This authorisation is provided in the context of Part 10.7 (Computer Offences) of the Criminal Code Act 1995 (Cth).
• If a third party brings legal action against you for activity that was clearly within the scope of this policy, we will make our authorisation known.

Safe harbour does not extend to activity outside this policy — including testing of out-of-scope systems, exfiltration, public disclosure prior to remediation, or violations of applicable law.

No Bug Bounty

Quantum Wave Solutions does not currently operate a paid bug bounty program. Reports are accepted on a goodwill basis only. We reserve the right to introduce a paid program in future.