Qualithm
Sign in

Responsible Disclosure Guidelines

Effective Date: 20 November 2025

Introduction

At Qualithm, we value the contributions of the security research community. These Responsible Disclosure Guidelines describe how to report potential security vulnerabilities and outline how we handle such reports.

These guidelines are intended to support coordinated, good-faith security research. They are not a legal policy or a contractual document.

Scope

These guidelines cover vulnerability reports affecting:

  • Qualithm websites, applications, APIs, and interfaces;
  • Qualithm cloud infrastructure;
  • Device-to-cloud communication and provisioning systems;
  • Client SDKs, CLIs, libraries, or tooling.

Out of Scope

  • Third-party services not operated by Qualithm;
  • Physical security testing;
  • Social engineering or phishing campaigns;
  • DDoS, load testing, or stress testing;
  • Use of automated scanning tools that disrupt production systems.

How to Report a Security Issue

If you believe you have found a vulnerability, please contact:

Email: security@qualithm.com

PGP Key for Secure Reports

For sensitive or high-impact reports, you may encrypt your message using our PGP key.

Key ID: 0xDDC5B3A7E72D6E33

Fingerprint: C37C 4CC3 3CD5 6FE7 E2E4 0A21 DDC5 B3A7 E72D 6E33

security.txtPGP Key

Helpful information to include:

  • steps to reproduce the issue;
  • affected endpoint, system, or component;
  • impact or severity, if known;
  • supporting logs or proof-of-concept materials.

How We Respond

  • Acknowledge valid reports within 48 hours;
  • Provide initial assessment within 5 business days;
  • Work toward remediation based on impact and severity;
  • Coordinate disclosure where appropriate.

Safe Harbour

Researchers acting in good faith and following these guidelines will not be subject to legal action by Qualithm for their research activities. This safe harbour applies only to actions conducted ethically and within the guidelines.

Hall of Thanks

We appreciate the security researchers who help keep Qualithm safe. No reports have been acknowledged yet — be the first to responsibly disclose a vulnerability.

Changes to These Guidelines

We may update these guidelines to reflect improvements in our security processes or changes in industry standards. Material changes will be communicated where practicable.

Contact

Security: security@qualithm.com
Legal: legal@qualithm.com
Privacy & Data Protection: privacy@qualithm.com