Skip to content
cosmoquick

Vulnerability Disclosure

Coordinated disclosure, treated seriously

We welcome reports from the security community. Researchers acting in good faith under this policy will not face legal action from CosmoQuick.

Report a vulnerability

security@cosmoquick.com

Email security team

Scope

In-scope assets

  • cosmoquick.com and subdomains
  • CosmoQuick web application
  • CosmoQuick public APIs
  • CosmoQuick mobile clients

Rules

What we ask of researchers

Encouraged

  • Testing only against accounts and data that belong to you
  • Following ethical hacking principles
  • Providing detailed reproduction steps and proof-of-concept
  • Allowing reasonable time to investigate and remediate before disclosure

Out of scope

  • Accessing, modifying, or destroying data that is not your own
  • Social engineering of CosmoQuick staff, customers, or vendors
  • Denial-of-service or load testing against production systems
  • Physical attacks, or attacks targeting third-party services
  • Public disclosure prior to coordinated remediation

Process

What happens after you report

  1. 1

    Acknowledgement

    We confirm receipt within 3 business days.

  2. 2

    Triage

    We assess severity, scope, and reproducibility within 10 business days.

  3. 3

    Remediation

    We work to remediate validated issues on a timeline matched to severity.

  4. 4

    Recognition

    With permission, we credit researchers in a hall of fame after remediation.

Safe Harbor

Good-faith research is protected

CosmoQuick will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this policy. We may update this policy from time to time; material changes will be reflected on this page.