Qrious Insight

Vulnerability Disclosure Policy

Effective: June 2026 · Last updated: June 2026

Our commitment

Qrious Insight takes the security of our systems and the protection of our customers’ data seriously. We value the work of the security research community, and we welcome reports of potential vulnerabilities in our products and services. This policy explains how to report a security issue to us, what is in scope, what you can expect from us, and the protections we extend to good-faith researchers.

How to report a vulnerability

Email security@qriousinsight.com.

To help us assess and reproduce the issue quickly, please include:

  • A clear description of the vulnerability and its potential impact
  • The affected asset (URL, endpoint, application, or component)
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, requests, or screenshots
  • Your name or handle, if you would like to be credited

Please send one issue per report where possible, and avoid including real customer data in your submission.

Scope

In scope:

  • qriousinsight.com and its subdomains, including clients.qriousinsight.com and pmo.qriousinsight.com
  • The Qrious Insight Suite web application and its public-facing APIs
  • Other production systems we operate that process customer data

Out of scope:

  • Infrastructure and services operated by our providers rather than by us (for example, our cloud hosting provider). Please report those directly to the relevant provider.
  • Findings from automated tools without a demonstrated, realistic security impact
  • Denial-of-service (DoS/DDoS), volumetric, brute-force, or load/stress testing
  • Social engineering, phishing, or physical attacks against our staff, customers, or facilities
  • Reports limited to missing “best practice” hardening with no demonstrated exploit (for example, missing security headers, SPF/DKIM/DMARC configuration, TLS configuration preferences, or cookie flags) unless you can show concrete impact
  • Issues in third-party software for which a vendor patch is not yet available

If you are unsure whether something is in scope, contact us before testing and we will be happy to clarify.

Safe harbour

We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorised conduct. When you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support legal action against you in connection with your research, including under computer-misuse, anti-hacking, or anti-circumvention laws that might otherwise apply
  • Work with you to understand and resolve the issue promptly
  • Recognise your contribution if you are the first to report a valid, previously unknown vulnerability and you wish to be credited

If legal action is initiated by a third party against you for activity that was conducted in accordance with this policy, we will take steps to make it known that your actions were authorised. This safe harbour applies only to good-faith research that respects the rules below; it does not authorise activity that is illegal in your jurisdiction or that harms our customers or systems.

Rules of engagement

To stay within this policy and the safe harbour above, we ask that you:

  • Act in good faith and avoid any activity that degrades, disrupts, or harms our systems, services, or users
  • Only access, store, or interact with data that belongs to you or to a test account you are authorised to use
  • Access only the minimum amount of data necessary to demonstrate a vulnerability, and stop once you have confirmed it — do not access, modify, delete, or exfiltrate further data
  • Not run denial-of-service tests, send spam, or perform social engineering against our people or customers
  • Keep the details of any vulnerability confidential until we have had a reasonable opportunity to remediate it (see Coordinated disclosure below)
  • Comply with all applicable laws

If you inadvertently access sensitive data (such as personal data or credentials) during your research, stop, do not retain or share it, and tell us in your report.

What you can expect from us

When you report in line with this policy, we will:

  • Acknowledge your report within 3 business days
  • Provide an initial assessment and triage within 10 business days, and let you know whether the issue is accepted, needs more information, or is out of scope
  • Keep you informed of our progress as we work toward a fix
  • Remediate validated vulnerabilities in line with our vulnerability-management process, prioritised by severity. Issues that materially affect security are addressed within 90 days of validation, and any issue with evidence of active exploitation is prioritised for an expedited fix
  • Where a fix requires action from our customers, publish guidance so they can protect themselves

Coordinated disclosure

We are committed to coordinated disclosure. Please give us a reasonable opportunity to remediate before disclosing any vulnerability publicly, and coordinate the timing of any public disclosure with us. We are happy to discuss disclosure timelines and to acknowledge your contribution publicly once an issue is resolved, if you wish.

Rewards

This is a vulnerability disclosure programme. We do not currently offer monetary rewards, but we are grateful for your help and are happy to credit researchers who report valid issues.

Contact

Security reports: security@qriousinsight.com

Machine-readable version of this contact information: https://qriousinsight.com/.well-known/security.txt