QNSP is primarily delivered as a hosted service (QNSP Cloud). Security fixes are applied continuously to the hosted production environment.
For private/VPC/sovereign deployments, support status is defined by your contract and deployment configuration.
Please report security vulnerabilities privately to:
- Email: security@cuilabs.io
- A clear description of the issue and expected impact
- Steps to reproduce (proof-of-concept)
- Affected components and versions (if known)
- Any relevant logs or request IDs (redacted)
Do not include secrets (API keys, tokens, passwords, private URLs) in reports.
- Acknowledgment target: within 48 hours
- Initial assessment target: within 5 business days
- Remediation target: 90 days for critical/high severity; 180 days for medium/low severity
- Public disclosure: coordinated with the reporter after a fix is deployed
We support good-faith security research. We will not pursue legal action against researchers who:
- Test only systems they own or have explicit permission to test
- Avoid privacy violations and accessing/modifying customer data
- Do not perform denial-of-service (DoS) testing
- Do not exploit issues beyond proof-of-concept validation
- Provide reasonable time for remediation prior to public disclosure