Vulnerability Disclosure

Quantum XChange is committed to maintaining the security and integrity of its products and services, including Phio TX and related components. We welcome and encourage responsible security research and the reporting of vulnerabilities.

This policy describes how to report vulnerabilities, how we handle such reports, and the protections provided to researchers who act in good faith.

Scope

This policy applies to:

• Quantum XChange-operated systems and services, including Phio TX
• Domains owned and operated by Quantum XChange (including *.quantumxc.com)
• Public-facing APIs and interfaces

This policy does not apply to:

• Third-party systems or services not controlled by Quantum XChange
• Social engineering, phishing, or physical security testing
• Denial-of-service (DoS/DDoS) testing
• Automated scanning that degrades service performance

How to Report a Vulnerability

Please submit reports to: 

security@quantumxc.com

To assist in our investigation, include:

• A detailed description of the vulnerability
• The affected system, product, or component
• Steps to reproduce the issue
• Any supporting materials (logs, screenshots, proof-of-concept code)

If you wish to submit encrypted information, please request our public encryption key.

Our Commitment

We are committed to working with security researchers in a timely and transparent manner.

• Acknowledgment: within 72 hours of receipt
• Initial Assessment: within 5–7 business days
• Remediation: prioritized based on severity and impact
• Updates: periodic status updates throughout the process

We use industry-standard methodologies, including the CVSS, to assess and prioritize vulnerabilities.

Coordinated Vulnerability Disclosure

Quantum XChange follows a coordinated vulnerability disclosure process consistent with guidance from ENISA.

We request that researchers:

• Refrain from public disclosure until we have had a reasonable opportunity to investigate and remediate the issue
• Provide us a reasonable time window to address the vulnerability before disclosure

We are committed to acting in good faith and will work collaboratively to resolve reported issues.

Safe Harbor

If you act in good faith and in accordance with this policy:

• We will not initiate legal action against you
• We will not pursue claims under applicable anti-hacking laws
• We consider your research to be authorized

To qualify for Safe Harbor, you must:

• Avoid accessing, modifying, or deleting data that does not belong to you
• Avoid disrupting services or degrading system performance
• Limit testing to the minimum necessary to demonstrate the vulnerability
• Respect privacy and confidentiality at all times

If you inadvertently access sensitive data, you agree to:

• Stop testing immediately
• Notify us promptly
• Not disclose or retain the data

Researcher Conduct

You agree to:

• Act in good faith to identify security issues
• Avoid exploitation beyond what is necessary to demonstrate the vulnerability
• Not use the vulnerability for personal gain or malicious purposes

Legal Considerations

This policy is intended to provide authorization for security testing conducted in accordance with its terms. Activities conducted outside the scope of this policy may be subject to legal action.

Nothing in this policy grants permission to test systems outside of Quantum XChange’s control.

Recognition

At our discretion, we may acknowledge researchers who report valid vulnerabilities, unless anonymity is requested.

Contact

security@quantumxc.com

For all vulnerability reports and related inquiries.

Disclaimer

This policy does not create any contractual obligations or rights and may be updated from time to time. Quantum XChange reserves the right to modify this policy at its discretion.