Skip to content

Responsible Disclosure Policy

If you've found a security vulnerability in Querri, we want to hear from you. This policy describes what you can test, how to report what you find, and our commitment to researchers acting in good faith.

Querri, Inc. Responsible Disclosure Policy

Last revised on: May 19, 2026

Report vulnerabilities to security@querri.com.

Querri takes the security of our systems and our customers' data seriously. We value the work of security researchers and welcome reports of vulnerabilities that could affect our customers. This policy outlines how to report a vulnerability to us, what's in scope, and what you can expect in return.

This policy follows the disclose.io framework for coordinated vulnerability disclosure.

1. Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Querri will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for actions taken while complying with this policy, we will make this authorization known.

2. Guidelines

Under this policy, "research" means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability's presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Once you've established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

3. Test Methods

The following test methods are not authorized:

  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data.
  • Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing) of Querri employees, customers, or vendors, or any other non-technical vulnerability testing.
  • Automated scanning that generates significant load or traffic.
  • Any testing that accesses, modifies, or destroys data belonging to other Querri customers. Use your own test account.

4. Scope

This policy applies to the following systems and services:

  • querri.com and its subdomains
  • app.querri.com (the Querri web application)
  • Querri's public APIs

If you aren't sure whether a system is in scope, contact us at security@querri.com before testing.

5. Out of Scope

Any services hosted by third-party providers are excluded from this policy. Please report vulnerabilities in those services directly to the provider.

In the interest of the safety of our users, staff, the internet at large, and you as a security researcher, the following findings are excluded from scope:

  • Findings from physical testing such as office access (e.g. open doors, tailgating).
  • Findings derived primarily from social engineering (e.g. phishing, vishing).
  • Findings from applications or systems not listed in the "Scope" section.
  • UI and UX bugs and spelling mistakes.
  • Network-level denial-of-service (DoS/DDoS) vulnerabilities.
  • Missing best-practice security headers without a demonstrated impact.
  • Reports from automated scanners without manual validation.

6. How to Report

Send your report to security@querri.com. Reports should be in English and should include:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue, including any URLs, payloads, or test accounts used.
  • Any relevant screenshots, logs, or proof-of-concept code.
  • Your name or handle if you'd like to be credited (optional).

Please do not include real customer data, credit card data, or other personally identifiable information in your report.

7. What You Can Expect From Us

When working with us under this policy, you can expect us to:

  • Acknowledge your report within five business days.
  • Work with you to understand and validate the report.
  • Keep you informed about the progress of remediation.
  • Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
  • Extend safe harbor for your vulnerability research that is related to this policy.
  • Credit you publicly (with your permission) once the issue is resolved.

8. Recognition

We don't currently offer a paid bug bounty, but we're grateful to researchers who report issues responsibly. With your permission, we'll publicly acknowledge your contribution after the issue is resolved.

9. Machine-Readable Contact

Our security contact information is also published per RFC 9116 at /.well-known/security.txt.