Security and responsible disclosure

Last updated: 2026-05-19
Last verified: 2026-05-19
Effective date: 2026-05-19
Customer-facing URL: https://qortara.com/legal/security

This page describes how the Qortara service ("Service") operated by MythologIQ Labs LLC handles security, how to report a suspected vulnerability, and what to expect when you do. The machine-readable companion is https://qortara.com/.well-known/security.txt.

1. Reporting a vulnerability

Send a report to security@qortara.com. Include, where you can:

  • a clear description of the suspected vulnerability;
  • the affected endpoint, surface, version, or component;
  • reproduction steps or proof of concept;
  • impact assessment (what an attacker could do);
  • your contact details for follow-up;
  • whether you wish to be credited in the hall of fame (see §6).

If you need encrypted transmission, write to security@qortara.com first and we will arrange an out-of-band channel. We do not currently publish a PGP key.

2. Acknowledgement and response

The Service is in active pre-launch development. We will acknowledge receipt of a good-faith report on a best-effort basis, with a target of 24 hours for initial acknowledgement. Triage, validation, and remediation timelines vary by severity; we will keep you informed of progress.

These timelines are not contractual service-level commitments. Service availability and response capacity depend on Microsoft Azure, Stripe, the Microsoft Agent Governance Toolkit, and other upstream providers we do not control.

3. Scope

3.1 In scope

  • the production Qortara API and dashboard at api.qortara.com, app.qortara.com, and qortara.com;
  • the Qortara Governance LangChain sidecar (public OSS distribution) under the MythologIQ-Labs-LLC organization on GitHub;
  • managed-application deployments operated by Qortara that ingest tenant data on the customer's behalf.

3.2 Out of scope

  • third-party services and infrastructure listed in the subprocessor list at https://qortara.com/legal/subprocessors. Vulnerabilities in those services should be reported directly to the operator. We will assist with coordination where reasonable.
  • customer-deployed instances of the open-source LangChain sidecar that we do not operate.
  • customer-side configuration errors (misconfigured policies, weak passwords, exposed API keys) that are not exploitable against other tenants.
  • denial-of-service, volumetric, or load-testing without prior written authorization.
  • social engineering of MythologIQ personnel.
  • physical attacks against MythologIQ personnel or infrastructure.
  • attacks requiring physical access to a victim's device.

4. Safe harbor

We will not pursue civil or criminal action against researchers who, in good faith:

  • act within the scope defined in §3 and respect the prohibitions in §5;
  • avoid privacy violations, destruction of data, and disruption to the Service or its users;
  • give us reasonable time to remediate before publishing details;
  • do not exploit the vulnerability beyond what is necessary to demonstrate it;
  • comply with applicable law.

If your good-faith research violates a third party's terms (for example, a hosting provider's terms of service), our safe harbor does not bind that third party.

5. Researcher conduct

Researchers must not:

  • access, modify, or delete data that is not their own;
  • disrupt Service availability for other users;
  • use automated scanners that generate excessive traffic without prior written authorization;
  • exfiltrate data, including for demonstration; a screenshot or hash of a single record is sufficient to prove access;
  • publicly disclose a vulnerability before we have remediated it or before 90 days have elapsed from the date of our initial acknowledgement, whichever is sooner, unless we agree otherwise.

6. Hall of fame

We maintain an opt-in hall of fame at https://qortara.com/legal/security#hall-of-fame (this page) recognizing researchers who have reported valid vulnerabilities. Inclusion is opt-in; tell us when you report whether you want to be listed and how you wish to be credited (name, handle, organization, website).

There is no monetary bug-bounty program at this time. We may introduce one in the future.

Hall of fame

No researchers listed yet. Be the first to report a valid vulnerability and we will list you here at your option.

7. Security controls (overview)

The following gives a high-level view of how we protect customer data. It is not a contractual commitment to any specific control.

  • Identity and access: federated identity through Azure AD B2C; tenant isolation enforced at the application layer; service-principal credentials stored in Azure Key Vault.
  • Secrets management: all production secrets in Azure Key Vault with role-based access; periodic rotation per the secret-rotation schedule.
  • Policy enforcement: Cedar policies evaluated in a deny-closed fail mode; explicit allow required.
  • Audit evidence: each policy decision produces an Ed25519-signed, RFC 8785 JCS-canonicalized, SHA-256-hashed attestation written to the ledger.
  • Encryption: TLS 1.2 or higher in transit; Azure-managed encryption at rest; HSM-backed key options for Enterprise.
  • Network: Azure Front Door with WAF in front of public surfaces; APIM gateway for the API plane; private endpoints for data stores.
  • Logging and monitoring: Application Insights, Log Analytics, and Azure Monitor; security-relevant events alertable through standard Azure mechanisms.
  • Vulnerability management: dependency scanning in CI; container-image scanning at build; patches applied on a best-effort basis prioritized by severity.
  • Incident response: documented internally; controller notification within 72 hours of awareness of a personal data breach per the Data processing agreement at https://qortara.com/legal/dpa §8.
  • Disaster recovery: best-effort posture documented internally; tenant CA private keys are intentionally not recoverable after deletion as a property of the cryptographic design.
  • Supply chain: subprocessor due diligence and contractual flow-down per the Data processing agreement.

8. Compliance posture

The Service is built on Microsoft Azure and inherits Azure's underlying certifications (ISO 27001/27017/27018, SOC 1/2/3, HIPAA-eligible regions, FedRAMP High where applicable). MythologIQ Labs LLC is enrolled in the Microsoft AI Cloud Partner Program. We do not currently hold independent SOC 2 or ISO 27001 attestations in our own name; pursuing those is on the roadmap. We will not represent the Service as certified under any framework for which we do not hold a current attestation.

9. Contact

  • Security reports: security@qortara.com
  • Abuse reports: abuse@qortara.com
  • Legal notices: legal@qortara.com
  • General: support@qortara.com