Responsible Disclosure

Security Policy

The QBITEL Bridge team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose any issues you find.

Do Not Use Public Issues

Please do NOT report security vulnerabilities through public GitHub issues. Use the private reporting process described below to ensure vulnerabilities are handled safely.

Supported Versions

Version Supported
1.x Supported
0.x (pre-release) Not Supported

How to Report a Vulnerability

Send an email to security@qbitel.com with the following information:

1

Description

A clear description of the vulnerability, including the affected component (AI engine, data plane, control plane, management API, UI).

2

Reproduction Steps

Detailed steps to reproduce the issue, including any scripts, payloads, or configurations needed.

3

Affected Versions

Which version(s) of QBITEL Bridge are affected. Run qbitel version to check.

4

Impact Assessment

Any potential impact you have identified (data exposure, privilege escalation, denial of service, etc.).

5

Suggested Fix (Optional)

If you have a suggested fix or mitigation, we welcome including it in your report.

What to Expect

48 hours

Acknowledgment

We will acknowledge receipt of your report within 48 hours and assign a tracking ID.

5 days

Initial Assessment

We will investigate and provide an initial severity assessment and estimated timeline within 5 business days.

30 days

Resolution

We aim to release a fix for confirmed vulnerabilities within 30 days, depending on complexity.

90 days

Disclosure

We follow a 90-day disclosure policy and will coordinate with you on public disclosure timing.

Safe Harbor

We consider security research conducted in good faith to be authorized and will not pursue legal action against researchers who:

  • Make a good faith effort to avoid privacy violations, data destruction, or service disruption
  • Only interact with accounts they own or with explicit permission from the account holder
  • Report vulnerabilities promptly and do not exploit them beyond what is necessary to confirm the issue

Deployment Security Best Practices

When deploying QBITEL Bridge in production, follow these hardening recommendations:

Always use TLS 1.3 in production

Set tls_min_version: "TLSv1.3" in your configuration

Set secrets via environment variables

Never store credentials, API keys, or JWT secrets in configuration files

Enable audit logging

Set audit_logging_enabled: true for compliance and forensic analysis

Use verify-full SSL mode for databases

Ensure database connections validate server certificates in production

Enable post-quantum cryptography

Activate PQC for forward secrecy against future quantum computing threats

Rotate keys and secrets regularly

Configure automatic rotation for JWT secrets, encryption keys, and PQC key pairs

Found a Security Issue?

Report it privately to security@qbitel.com. We respond within 48 hours and provide safe harbor for good-faith research.

Quick Start Guide Star on GitHub Enterprise Support