Skip to main content

Vulnerability Disclosure Policy

Last updated: July 4, 2026

Quantamsecure Private Limited builds security products, and we hold ourselves to the standard we ask of our customers. If you believe you have found a security vulnerability in any Knowspams website, application or service, we want to hear from you — and we will work with you to resolve it quickly.

How to report

Email support@knowspams.com with as much of the following as you can:

  • The affected URL, endpoint or product area
  • Steps to reproduce the issue (proof-of-concept requests, screenshots or scripts)
  • The impact you believe the issue has
  • Your name or handle, if you would like public credit

Our machine-readable contact details are published at /.well-known/security.txt (RFC 9116).

What you can expect from us

  • Acknowledgement of your report within 3 business days
  • An assessment and expected remediation timeline within 10 business days
  • Updates as we work on a fix, and confirmation when it ships
  • Public credit for your finding, if you want it — we will not name you without your consent
  • No legal action against research conducted in good faith under this policy

Ground rules for researchers

To keep testing safe for our customers and lawful for you, we ask that you:

  • Act in good faith: avoid privacy violations, data destruction, and degradation of our services
  • Access only the minimum data needed to demonstrate the issue — never view, alter or exfiltrate other users' data
  • Do not run denial-of-service, spam or brute-force attacks
  • Do not use social engineering, phishing or physical attacks against our staff, customers or infrastructure
  • Give us reasonable time to remediate before disclosing anything publicly

Out of scope

  • Findings on third-party services we use (report those to the vendor concerned)
  • Missing security headers or best-practice flags without a demonstrable exploit
  • Reports from automated scanners with no verified impact
  • Clickjacking on pages with no sensitive actions

We do not currently operate a paid bug-bounty programme, but we deeply appreciate responsible disclosure and will acknowledge meaningful findings.