Skip to content

Vulnerability Disclosure Policy

At Qbee, the security of our infrastructure, our device management platform, and — most importantly — our customers' data is our top priority. We appreciate the vital role that independent security researchers play in keeping the internet safe.

If you believe you have discovered a vulnerability in a Qbee product or service, we encourage you to let us know right away. We are committed to working with you to validate and resolve any reported issues.

Scope

This policy applies to the following systems and services:

  • Web Properties: *.qbee.io
  • The Qbee Platform: The Qbee dashboard and backend APIs.
  • Tooling: The Qbee Agent (open-source or binary), Qbee CLI, and official SDKs.

Out of Scope

  • Third-party integrations or services not directly authored by Qbee.
  • Physical security of our offices or data centers.
  • Social engineering (e.g., phishing) targeting Qbee employees or users.
  • Resource exhaustion or Denial of Service (DoS) attacks.

Guidelines for Responsible Disclosure

To encourage reporting and to protect both our researchers and our users, we ask that you:

  • Avoid Privacy Violations: Do not access, modify, or delete data belonging to other users. Only interact with accounts you own or have explicit permission to test.
  • Avoid Disruptions: Do not perform testing that would degrade our services or cause a Denial of Service (DoS).
  • Maintain Confidentiality: Please provide us a reasonable amount of time to resolve the issue before making any information public.
  • No Ransom: We do not respond to reports that include threats or demands for payment.

How to Report a Vulnerability

Please submit your findings to security@qbee.io. To help us triage your report quickly, please include:

  • A Clear Description: What is the vulnerability and what is the potential impact?
  • Steps to Reproduce: Detailed steps, scripts, or screenshots so our team can verify the issue.
  • Affected Component: Specify the URL, API endpoint, or tool version.

Optional: You may encrypt your report using our PGP Key https://cdn.qbee.io/security.gpg

Fingerprint 1B98 7CAC F018 574D D6E1 739B EF35 9744 0CC8 25B8

Our Commitment to You

If you follow these guidelines when reporting an issue to us, we commit to:

  • Timely Acknowledgment: We will acknowledge receipt of your report within 2–3 business days.
  • Transparency: We will keep you informed of our progress as we investigate and remediate the vulnerability.
  • Safe Harbor: Qbee will not pursue legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy.
  • Recognition: With your permission, we are happy to acknowledge your contribution to our Security Hall of Fame once the issue is resolved.

Rewards & Recognition

Currently, Qbee does not operate a paid bug bounty program. However, we highly value your time and expertise. Valid, high-quality reports are eligible for:

  • Public recognition on our Security page.
  • Qbee-branded "Security Researcher" swag.
  • A letter of recommendation or LinkedIn endorsement for your professional portfolio.