Vulnerability Disclosure Policy
CUI Labs (Pte.) Ltd. ("CUI Labs"), a company incorporated in Singapore (UEN: 202532790K), is committed to the security of QNSP Cloud and our customers. We welcome responsible disclosure of security vulnerabilities.
Vulnerability Disclosure Policy
CUI Labs (Pte.) Ltd. ("CUI Labs"), a company incorporated in Singapore (UEN: 202532790K), is committed to the security of QNSP Cloud and our customers. We welcome responsible disclosure of security vulnerabilities.
This policy establishes guidelines for security researchers and customers to report potential vulnerabilities in QNSP services.
1. Reporting a Vulnerability
1.1 Contact
Report security vulnerabilities to:
- Email: qnsp-security@cuilabs.io
- PGP Key: Available at https://qnsp.cuilabs.io/.well-known/security.txt
1.2 What to Include
Please provide:
- Description: Clear description of the vulnerability
- Impact: Potential security impact if exploited
- Steps to Reproduce: Detailed reproduction steps
- Proof of Concept: Code, screenshots, or logs demonstrating the issue
- Affected Components: Services, APIs, or SDKs affected
- Your Contact Information: For follow-up questions
1.3 Encryption
We encourage encrypting sensitive vulnerability reports using our PGP key.
2. Scope
2.1 In Scope
- QNSP Cloud services (api.qnsp.cuilabs.io)
- QNSP Cloud Portal (cloud.qnsp.cuilabs.io)
- QNSP Documentation site (docs.qnsp.cuilabs.io)
- QNSP Website (qnsp.cuilabs.io)
- QNSP SDKs (@qnsp/* npm packages)
- Authentication and authorization flaws
- Cryptographic implementation issues
- Data exposure vulnerabilities
- API security issues
2.2 Out of Scope
- Social engineering attacks against CUI Labs employees
- Physical security issues
- Denial of service attacks
- Spam or phishing
- Issues in third-party services or integrations
- Issues requiring physical access to user devices
- Vulnerabilities in customer applications using QNSP
3. Our Commitment
3.1 Response Timeline
| Stage | Target Timeline |
|---|---|
| Acknowledgment | Within 24 hours |
| Initial Assessment | Within 72 hours |
| Status Update | Every 7 days until resolution |
| Resolution | Based on severity (see Section 4) |
3.2 What We Will Do
- Acknowledge receipt of your report promptly
- Investigate and validate the vulnerability
- Keep you informed of our progress
- Work to remediate confirmed vulnerabilities
- Credit you in our security acknowledgments (if desired)
- Not pursue legal action against good-faith researchers
3.3 What We Ask of You
- Do not access, modify, or delete data belonging to other users
- Do not disrupt QNSP services or degrade user experience
- Do not disclose the vulnerability publicly until we have remediated it
- Act in good faith to avoid privacy violations and service disruption
- Do not use automated scanning tools that generate excessive traffic
4. Severity Classification and Resolution
| Severity | Definition | Target Resolution |
|---|---|---|
| Critical | Remote code execution, authentication bypass, encryption key exposure | 24–72 hours |
| High | Significant data exposure, privilege escalation, cryptographic weakness | 7 days |
| Medium | Limited data exposure, cross-site scripting, CSRF | 30 days |
| Low | Information disclosure, best practice deviation | 90 days |
5. Safe Harbor
CUI Labs will not pursue legal action against individuals who:
- Make a good-faith effort to comply with this policy
- Report vulnerabilities through the designated channels
- Avoid privacy violations, data destruction, and service disruption
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- Give us reasonable time to remediate before any public disclosure
6. Recognition
We maintain a security acknowledgments page to recognize researchers who have responsibly disclosed vulnerabilities:
https://qnsp.cuilabs.io/security#acknowledgments
If you would like to be acknowledged, please indicate your preferred name/handle when reporting.
7. Bug Bounty
At this time, CUI Labs does not operate a formal bug bounty program with monetary rewards. We recognize security researchers through our acknowledgments page and may offer discretionary rewards for critical findings.
8. Security Advisories
Security advisories for QNSP are published at:
https://docs.qnsp.cuilabs.io/security/advisories
Customers are notified of security issues affecting their deployments through:
- Email notifications to account administrators
- Cloud Portal security alerts
- Status page updates (for service-affecting issues)
9. Legal Safe Harbor
CUI Labs provides legal safe harbor for security research conducted in compliance with this policy. This means:
- We will not pursue civil claims against researchers who comply with this policy.
- We will not refer researchers to law enforcement for actions taken in good faith under this policy.
- We consider security research conducted under this policy to be authorized under the Computer Misuse Act (Singapore) and similar laws.
This safe harbor applies only to legal claims under CUI Labs' control and does not bind independent third parties.
10. Governing Law
This Vulnerability Disclosure Policy is governed by the laws of the Republic of Singapore. Any disputes shall be subject to the exclusive jurisdiction of the courts of Singapore.
CUI Labs (Pte.) Ltd.
Registered Office: 552 Ang Mo Kio, Avenue 10, #21-1982, Cheng San Place, Singapore 560552
UEN: 202532790K
Effective Date: February 24, 2026
Document Version: 1.0.0
For security inquiries, contact: qnsp-security@cuilabs.io