Security

Responsible Disclosure Policy

Last updated: 15 July 2026

Security is central to QUANTRA. If you believe you have discovered a vulnerability in our platform or website, we want to hear from you and work with you to resolve it quickly.

Report a vulnerability

Email security@bwe.one. If you would like to encrypt your report, request our PGP key at the same address.

Please include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce, including URLs, payloads, screenshots or PoC code.
  • Whether you disclosed it elsewhere and the timeline you propose.

Safe harbour

We will not pursue legal action against researchers who act in good faith under this policy. In particular, please:

  • Do not access data that is not yours; use test accounts you create.
  • Do not perform denial-of-service attacks or degrade the service for others.
  • Give us reasonable time to remediate before public disclosure.

Out of scope

  • Social engineering of BWE staff or clients.
  • Physical attacks on our facilities.
  • Reports based solely on automated scanner output without exploit paths.
  • Missing security headers with no demonstrated impact.

Our commitment

  • Acknowledge receipt within 2 business days.
  • Provide a triage decision within 10 business days.
  • Coordinate a fix and public disclosure timeline with you.
  • Credit you (with consent) in our post-remediation write-up.