QuoteForge

Vulnerability Disclosure Policy

Last updated: 2026-01-01

Purpose

TeleCetli Kft. invites security researchers and users to report potential vulnerabilities in the QuoteForge platform through responsible disclosure. We are committed to working with the security community to identify and resolve vulnerabilities promptly. This policy defines the scope, rules, submission process, and response commitments for vulnerability disclosure.

Scope

In scope:

quoteforge.gridex.ai (main application)
api.quoteforge.gridex.ai (API endpoints)
Any subdomain of quoteforge.gridex.ai

Out of scope (report to respective providers):

auth.gridex.ai (Keycloak identity provider — report to the Keycloak project or auth provider)
checkout.stripe.com (Stripe payment processing — report to Stripe via their disclosure programme)
gridex.ai (corporate website — separate scope)
Social engineering attacks against employees
Vulnerabilities in third-party dependencies that are already publicly known and tracked in our dependency scanner

Rules of Engagement

When conducting security research on in-scope systems, you must:

Not conduct denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
Not perform destructive testing or modify, delete, or exfiltrate data belonging to other users
Not access, download, or copy personal data (if you encounter PII during research, stop and report immediately without retaining the data)
Not conduct social engineering or phishing attacks against TeleCetli Kft. employees
Not test for vulnerabilities in out-of-scope systems or infrastructure
Not violate any applicable laws or regulations in the course of your research
Stop testing and report immediately if you discover evidence of an active breach or previously unknown attack

How to Submit a Report

Email [email protected] with the subject prefix [VULN]. We recommend using the report format below. For critical vulnerabilities, encrypt your email using our PGP key (available on request).

Email: security{'@'}gridex.ai

Subject prefix: [VULN]

Suggested report format:

Response SLA

Safe Harbor

TeleCetli Kft. will not pursue legal action against security researchers who discover and report vulnerabilities in good faith in accordance with this policy. We consider good-faith research to be activity that: (a) is limited to in-scope systems, (b) does not access or exfiltrate personal data, (c) does not disrupt service availability, (d) is reported to us before public disclosure, and (e) complies with all rules of engagement above. If you comply with these requirements, we consider your research to constitute good-faith security research authorised by us.

Bug Bounty

We do not currently offer a cash bug bounty programme. Researchers who discover and responsibly disclose valid vulnerabilities may, at our discretion, receive recognition in our Security Hall of Fame. We appreciate the time and effort of the security community and will always respond to valid reports promptly and professionally.