Security Response and Vulnerability Disclosure

Security Response Policy

QRCS maintains a structured security response and vulnerability disclosure process for cryptographic infrastructure and long lifecycle deployments. We encourage responsible disclosure and coordinated remediation, and we prioritize clear communication for customers who depend on QRCS components.

If you believe you have found a security issue, report it privately using the channels below. Do not post details publicly until remediation guidance is available, unless explicitly agreed in writing with QRCS.

Scope

This policy applies to QRCS software and reference materials, including: cryptographic library components, protocol engines, reference applications, specifications, and integration guidance. It covers issues in cryptographic constructions, protocol state machines, message handling, key management flows, implementation behavior, and build or configuration profiles.

Reporting a Vulnerability

To report a vulnerability, send a private email to QRCS security. If the issue is urgent or you believe active exploitation is plausible, indicate that clearly in the subject line.

Security Reporting Email

security@qrcscorp.ca

Suggested subject line: Security Vulnerability Report

Secure Submission

PGP encryption is available on request. If you require encrypted exchange from the first message, contact us and we will provide the current public key fingerprint.

What to Include in a Report

Reports that include reproducible detail are triaged faster. When possible, include:

  • Component and version: repository name, release tag, commit hash, or binary build identifier
  • Environment: OS, compiler/toolchain, CPU architecture, build flags, and relevant configuration
  • Impact: confidentiality, integrity, availability, authentication bypass, key compromise, downgrade, denial-of-service
  • Reproduction: minimal test case, packet trace, proof-of-concept steps, or deterministic vector where applicable
  • Scope: affected modules, protocol modes, and whether the issue is exploitable remotely or requires local access
  • Suggested remediation: if you have a proposed fix, mitigation, or patch, include it separately

Acknowledgement and Triage

QRCS will acknowledge receipt of a report and begin triage. During triage, we validate the report, determine affected scope, and assign a severity classification. We may request additional information, logs, traces, or environment detail to reproduce the issue.

Severity is evaluated using practical impact and exploitation feasibility, including: attack surface exposure, key compromise risk, ability to bypass authentication, impact on message integrity, downgrade opportunities, and whether the issue affects default configurations.

Coordinated Disclosure and Timelines

QRCS follows a coordinated disclosure model. We ask reporters to keep details confidential until a fix or mitigation is available. If you are operating under organizational disclosure policies, tell us early so we can align on timelines.

Disclosure timing depends on severity and deployment risk. In high-risk cases, QRCS may release mitigations or guidance prior to a full patch. Where customers operate under support agreements, QRCS can provide pre-release notifications for coordinated upgrade planning.

Remediation, Releases, and Guidance

Remediation may take several forms depending on the component and risk profile:

  • Code fixes: patches to affected modules and regression tests
  • Configuration guidance: safe defaults, hardened profiles, or feature flags
  • Protocol clarifications: specification errata or interoperability notes when message or state-machine interpretation is involved
  • Upgrade guidance: recommended migration steps, compatibility notes, and operational rollout guidance

For cryptographic issues, QRCS evaluates remediation under conservative assumptions, with emphasis on preventing key compromise, preventing message manipulation, and ensuring robust authentication and replay handling.

Security Advisories

When appropriate, QRCS issues a security advisory describing: affected components and versions, impact, exploitability assessment, remediation steps, and any workaround or mitigation. Advisory distribution depends on component scope and customer support posture.

Verification and Regression Testing

QRCS validates fixes using regression testing, deterministic vectors where applicable, and protocol-level verification. We aim to provide customers with sufficient information to independently validate remediation in their environment.

Out of Scope

The following are generally out of scope for this policy:

  • Issues caused by unsupported modifications, forks, or non-approved integration changes
  • Vulnerabilities in third-party dependencies not maintained by QRCS
  • Non-security feature requests or performance tuning requests

Safe Harbor

QRCS supports good-faith security research. If you make a good-faith effort to follow this policy, avoid privacy violations, avoid service disruption, and do not exploit vulnerabilities beyond what is necessary to demonstrate impact, QRCS will treat your research as authorized for the purpose of investigation and remediation.

Contact

Security reporting: security@qrcscorp.ca
General inquiries: contact@qrcscorp.ca

On This Page

Security Contact

Email: security@qrcscorp.ca

PGP: Available on request

Related