QRUpp - Security & Responsible Disclosure

1. How to report a vulnerability

Email security@qrupp.com with details of the issue, steps to reproduce, affected URLs/endpoints, and any proof-of-concept. Please include your contact information for follow-up.

2. Scope

• QRUpp web applications, APIs, and official domains/subdomains operated by Web Upp Limited.
• Out-of-scope: third-party services, demo environments not under our control, social media profiles, and assets clearly marked as excluded.

3. Research guidelines

• Avoid privacy violations, data destruction, or service degradation.
• Do not access or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
• No social engineering, phishing, physical attacks, or DDoS.
• Use test accounts where possible.

4. Safe harbour

If you follow this policy in good faith and report vulnerabilities promptly, we will not initiate legal action for security research that is consistent with these guidelines and UK law. This safe harbour does not apply to actions that are malicious, cause harm, or violate data-protection laws.

5. Triage & response

• Acknowledge receipt within 3 working days.
• Provide an initial assessment within 10 working days.
• Work with you to validate and remediate the issue; we may request additional details.
• We appreciate responsible disclosure and, with your consent, can provide public thanks after resolution.

6. Recognition & rewards

At this time, QRUpp does not operate a paid bug bounty programme. We may offer discretionary recognition for significant reports.

7. Confidentiality

Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and deploy a fix. We aim to keep you informed of progress.

8. Changes to this policy

We may update this Security & Responsible Disclosure Policy from time to time. The “Last updated” date indicates the latest version.

9. Contact

We do not accept postal correspondence. Please report all security issues by email to ensure a prompt response.