Quasar Logo

Responsible Disclosure

Security vulnerability reporting policy for Quasar Integrated Enterprise Management (IEM) and Quasar International Group

1. Our Commitment to Security

At Quasar International Group, we take the security of our Services and our users' data very seriously. We recognize the important role that security researchers and the broader security community play in keeping our platform secure. This Responsible Disclosure Policy outlines how we work with security researchers to identify and address security vulnerabilities.

We are committed to working with security researchers to resolve security issues quickly and transparently. We appreciate your efforts to help us maintain the security and privacy of our users.

2. Scope

This policy applies to the following systems and services:

  • Quasar IEM web application (https://www.quasarinternational.com and related domains)
  • Quasar IEM mobile applications
  • Quasar IEM API endpoints
  • Quasar IEM cloud infrastructure
  • Third-party integrations and services operated by Quasar International Group

Out of Scope: The following are explicitly excluded from this policy:

  • Social engineering attacks
  • Physical security issues
  • Denial of Service (DoS) attacks
  • Spam or phishing attacks
  • Issues requiring physical access to a user's device
  • Issues in third-party applications or services not directly operated by Quasar
  • Vulnerabilities in outdated or unsupported versions of our software

3. Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to report it to us as soon as possible. Please follow these guidelines:

3.1 How to Report

Send your vulnerability report to: security@quasarinternational.com

Your report should include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any proof-of-concept code or screenshots (if applicable)
  • Your contact information (optional, but helpful for follow-up questions)

3.2 What to Expect

We will acknowledge receipt of your report within 48 hours and provide an initial assessment within 7 business days. We will keep you informed of our progress in addressing the vulnerability.

4. Guidelines for Responsible Disclosure

When reporting vulnerabilities, please adhere to the following guidelines:

4.1 Do Not:

  • Access, modify, or delete data that does not belong to you
  • Disrupt or degrade our services
  • Perform any actions that could harm our users or their data
  • Disclose the vulnerability publicly before we have had a chance to address it
  • Violate any applicable laws or regulations
  • Use automated scanning tools that may impact system performance
  • Attempt to gain access to other users' accounts or data

4.2 Do:

  • Act in good faith and with the intent to help improve security
  • Respect user privacy and confidentiality
  • Only test on systems you own or have explicit permission to test
  • Provide sufficient detail to allow us to reproduce and verify the issue
  • Give us reasonable time to address the vulnerability before public disclosure
  • Follow responsible disclosure practices

5. Our Response Process

When we receive a vulnerability report, we follow this process:

  1. Acknowledgment: We will acknowledge receipt within 48 hours
  2. Initial Assessment: We will review and assess the vulnerability within 7 business days
  3. Investigation: Our security team will investigate and verify the issue
  4. Remediation: We will develop and deploy a fix as quickly as possible
  5. Verification: We will verify that the fix resolves the vulnerability
  6. Disclosure: We will coordinate with you on public disclosure, if appropriate

The timeline for remediation depends on the severity of the vulnerability. Critical vulnerabilities will be addressed with the highest priority.

6. Vulnerability Severity Classification

We classify vulnerabilities using the following severity levels:

6.1 Critical

Vulnerabilities that could lead to complete system compromise, unauthorized access to sensitive data, or significant service disruption. Examples: Remote code execution, SQL injection, authentication bypass.

6.2 High

Vulnerabilities that could lead to unauthorized access to user data or significant functionality compromise. Examples: Privilege escalation, sensitive data exposure, cross-site scripting (XSS) affecting multiple users.

6.3 Medium

Vulnerabilities that could lead to limited unauthorized access or information disclosure. Examples: Limited XSS, information disclosure, CSRF affecting non-sensitive operations.

6.4 Low

Vulnerabilities with minimal security impact. Examples: Minor information disclosure, low-impact denial of service.

7. Recognition and Rewards

We appreciate the efforts of security researchers who help us improve our security. While we do not currently operate a formal bug bounty program, we may, at our discretion:

  • Publicly acknowledge your contribution (with your permission)
  • Add you to our security researcher hall of fame
  • Provide swag or other recognition for significant findings
  • Consider monetary rewards for exceptional vulnerabilities (at our discretion)

Recognition is provided at our sole discretion and is not guaranteed. We reserve the right to modify or discontinue our recognition program at any time.

8. Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith and in accordance with this Responsible Disclosure Policy
  • Do not access, modify, or delete data that does not belong to them
  • Do not disrupt or degrade our services
  • Do not violate any applicable laws or regulations
  • Report vulnerabilities in a timely manner
  • Do not publicly disclose the vulnerability before we have addressed it

This safe harbor applies only to security research activities that are consistent with this policy. Any activities that go beyond the scope of this policy may result in legal action.

9. Public Disclosure

We encourage coordinated disclosure. If you wish to publicly disclose a vulnerability, please wait until we have:

  • Acknowledged the vulnerability
  • Had a reasonable opportunity to address it (typically 90 days for critical, 60 days for high, 30 days for medium/low severity)
  • Deployed a fix or determined that no fix will be provided

We appreciate advance notice of any planned public disclosure and are happy to coordinate with you on the timing and content of such disclosure.

10. Questions and Contact

If you have questions about this Responsible Disclosure Policy or need to report a security vulnerability, please contact us:

Quasar International Group Security Team

Email: security@quasarinternational.com

PGP Key: Available upon request

Address: 123 Brickell Avenue, Suite 1500, Miami, FL 33131, USA

For urgent security matters, please include "URGENT" in the subject line

11. Policy Updates

We may update this Responsible Disclosure Policy from time to time. We will notify security researchers of any material changes. The most current version will always be available on this page.

Thank You

We sincerely appreciate the efforts of security researchers who help us keep our platform secure. Your responsible disclosure helps protect our users and strengthens the security of our Services. Thank you for your contribution to making Quasar IEM a more secure platform.