Security
Security
Qortara takes the security of its platform and customer data seriously. This page describes how to report vulnerabilities and what to expect from our response.
Responsible disclosure
Found a security vulnerability in Qortara? Please report it.
For the OSS package (qortara-governance-langchain): use GitHub private vulnerability reporting at https://github.com/MythologIQ-Labs-LLC/qortara-governance-langchain/security/advisories/new.
For qortara.com or any other Qortara surface: email security@qortara.com.
We commit to:
- Acknowledging your report within 48 hours
- Investigating and responding within 7 days for confirmed vulnerabilities
- Crediting reporters (let us know if you prefer to remain anonymous)
- Not pursuing legal action against good-faith researchers following this policy
Scope
In scope:
- qortara.com (this website)
qortara-governance-langchainOSS package (github.com/MythologIQ-Labs-LLC/qortara-governance-langchain)- api.qortara.com and app.qortara.com (once live)
Out of scope:
- Third-party services we use (report those to the vendor directly)
- Denial of service attacks
- Social engineering of Qortara staff
- Physical security
- Automated vulnerability scanner output without an actual reproducible issue
Rewards
Qortara does not currently operate a bug bounty program. We may offer discretionary rewards for material findings at our sole discretion. A formal bounty program may be introduced post-launch based on demand and volume.
PGP
No PGP key for v1. Encrypted reporting via GitHub's security advisory system is available for the OSS package.