Vulnerability Disclosure

Responsible disclosure policy.

Found a security issue in QR Vello? We're glad you're looking. This page tells you how to report it, what's in scope, and what to expect back from us.

Last reviewed · 2026-05-19

Our promise to researchers

Security researchers acting in good faith under this policy will not face legal action from QR Vello. We treat every report as a serious technical signal and respond to every report we receive. We commit to keeping you updated through investigation, fix, and (where appropriate) coordinated disclosure.

In scope

qr-vello.com — the main marketing site and all subdomains
The public REST API exposed at qr-vello.com/api/*
Authentication flows (sign-in, sign-up, OAuth, password reset, 2FA)
QR code redirect endpoints and short-link infrastructure
The admin dashboard and customer self-service area

Out of scope

Third-party services we depend on (Stripe, S3, payment processors, font CDNs)
Denial-of-service, distributed denial-of-service, or volumetric flooding
Social engineering of QR Vello staff, customers, or partners
Physical attacks against offices, data centers, or hardware
Spam, content injection, or any attack that affects other QR Vello users without consent
Reports based purely on missing security headers without a demonstrable impact
Automated scanner output without a working proof-of-concept

How to report

Email us at the address below. Encryption is appreciated but not required — we don't want a missing key to delay a report.

Send reports to

[email protected]

Write email

Include in your report:

Vulnerability class (e.g. IDOR, stored XSS, SSRF, auth bypass)
Affected URL or API endpoint
Step-by-step reproduction with screenshots or a minimal proof-of-concept
Realistic impact assessment — what an attacker could actually do
Your preferred name or handle for credit (optional)

PGP keyAvailable on request — ask in your first email and we'll send the fingerprint.

Important boundaries

Never access, modify, or delete data belonging to other users
Stop testing as soon as a vulnerability is confirmed — do not exfiltrate at scale
Do not disrupt service for other customers
Give us a reasonable window to fix before any public disclosure

Severity ratings

We use a four-level scale loosely aligned with CVSS v3.1. Below is how we typically classify reports — the final call lives with our security review.

Critical
Pre-auth RCE, full account takeover, mass PII exfiltration, broken auth on payment endpoints.
Fixed within 7 days. Emergency patch path.
High
Auth bypass, vertical privilege escalation, SSRF reaching internal services, stored XSS with session theft.
Fixed within 30 days.
Medium
IDOR with limited blast radius, reflected XSS, CSRF on non-critical actions, information disclosure.
Fixed within 60 days.
Low
Self-XSS, missing best-practice headers without exploit path, minor info leaks.
Tracked. Fix bundled into the next release window.

What you can expect from us

Initial acknowledgement
Within 3 business days of receipt.
Triage and severity assessment
Within 10 business days. We tell you whether we're treating the report as accepted, duplicate, or out of scope.
Fix target
Critical and high-severity issues within 30 days. Medium and low within 90 days. Genuine zero-days handled in hours.
Coordinated disclosure
We aim to publish a fix and a short advisory together. Standard embargo is 90 days from initial report; longer only by mutual agreement.

Recognition

We do not currently run a paid bug bounty — we'd rather build trust before we put money on the table, and a young program attracts more noise than signal. But we credit every researcher whose report leads to a fix in our public Hall of Fame, with name or handle as you prefer, and we're happy to write a recommendation or LinkedIn note for serious finds.

Hall of fame

No reports credited yet. Be the first — report responsibly and we'll list you here with the credit you prefer.

Credits are added after a fix ships, with the researcher's consent. Anonymous credit available on request.

RFC 9116 · disclose.io

Safe harbour

When you act in good faith under this policy — staying within scope, not affecting other users, not exfiltrating data, and giving us a reasonable disclosure window — we will not pursue legal action against you, will not ask law enforcement to investigate you, and will consider your activity authorized under the German Computer Fraud and Abuse Statute (§ 202c StGB) and equivalent international provisions. If a third party brings action against you for activity that complied with this policy, we will make it known publicly that the activity was authorized.