Trust & Security

Last updated: June 2026

Our security posture

Security is what we do, and we hold our own environment to the standard we set for clients. We run a formal security program aligned to the NIST Cybersecurity Framework (CSF) 2.0 and the CIS Critical Security Controls. In practice that means:

  • Multi-factor authentication on accounts and administrative access.
  • Least-privilege access and regular access reviews.
  • Encryption of data in transit and at rest.
  • Centralized logging and monitoring of our systems.
  • Vendor due diligence and ongoing third-party risk management.

Responsible disclosure policy

We welcome reports from security researchers who help us keep our systems and our clients safe. If you believe you have found a vulnerability in a Qanta-owned website or service, we want to hear from you. This policy applies to the assets we own and operate; it does not authorize testing against client systems or any third-party service.

Safe harbor

We will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. Good-faith research means you avoid privacy violations, data destruction, and service disruption; you do not access or modify data beyond the minimum necessary to demonstrate an issue; and you give us a reasonable opportunity to remediate before any public disclosure. If you are uncertain whether an activity is permitted, ask us first.

How to report a vulnerability

To report a vulnerability, please reach out to us with the details. A machine-readable contact is also published at /.well-known/security.txt. A helpful report includes:

  • A clear description of the issue and its potential impact.
  • The affected URL, endpoint, or component.
  • Steps to reproduce, including any proof-of-concept.
  • Your contact details so we can follow up.

Coordinated disclosure timeline

We aim to acknowledge your report within three business days, provide an initial assessment within ten business days, and keep you informed as we work toward a fix. We ask that you give us a reasonable window— typically up to 90 days—to remediate before any public disclosure, and we are happy to coordinate timing and credit with you.

Out of scope

  • Denial-of-service attacks or volumetric/load testing.
  • Social engineering, phishing, or physical attacks against staff.
  • Reports from automated scanners without a demonstrated impact.
  • Issues in third-party services we do not own or operate.

Recognition

We are grateful to the researchers who help us improve. With your permission, we are happy to acknowledge your contribution once an issue is resolved.