Updated: October 2025

Purpose

This standard enables external entities to report and disclose vulnerabilities and internal entities to report information security policy violations, reinforcing BuildQM's commitment to the security and privacy of its customers and workforce.

Scope

BuildQM’s Responsible Disclosure standard is inclusive and applies to all, including BuildQM employees, interns, temporary staff, contractors, vendors, partners, suppliers, and other third parties (collectively referred to as “workforce members”). This inclusivity ensures that everyone is part of our security efforts.

Background

BuildQM is committed to ensuring our customers' and employees' safety and security. We aim to foster an environment of trust and an open partnership with the security community, and we recognize the importance of vulnerability disclosures and whistleblowers in continuing to ensure the safety and security of all of our customers and employees. We have developed this standard to reflect our corporate values and uphold our legal responsibility to good-faith security researchers, providing us with their expertise and whistleblowers who add an extra layer of security to our infrastructure.

Roles and Responsibilities

• Information Security Team: Assess and respond to vulnerability reports and communicate with the reporter.

• Legal Team: Ensure legal compliance in the disclosure process and address legal implications.

• External Researchers: Report vulnerabilities following this standard’s guidelines. 

Legal Posture

BuildQM will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed BuildQM products and services. We agree not to pursue legal action against individuals who:

• Engage in the testing of systems/research without harming BuildQM or its customers.

• Engage in vulnerability testing within the scope of our vulnerability disclosure program.

• Test on products without affecting customers or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.

• Adhere to the laws of their location and BuildQM's location. For example, violating laws that would only result in a claim by BuildQM (and not a criminal claim) may be acceptable as BuildQM is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.

• Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.

We prohibit harmful activities against BuildQM, its customers, and its workforce members.

BuildQM’s Responsible Disclosure

At BuildQM, we prioritize the safety and security of our users on the internet. We are dedicated to safeguarding the integrity of our assets, systems, and our customers' confidential information. In the event of any potential vulnerabilities discovered in any of BuildQM's products, systems, or assets, we strongly encourage prompt communication from security researchers.

Please note that BuildQM does not offer a bug bounty program, monetary rewards, or other compensation for reported security issues.

Guidelines for Responsible Disclosure

• Act in good faith to avoid privacy violations, data destruction, and interruption or degradation of our services (including denial of service).

• Please be respectful of our applications and services.

• Refrain from any actions that could potentially cause harm to BuildQM, our customers, workforce members, or any other individuals.

• Avoid activities that could degrade the performance or functionality of BuildQM's services or assets.

• Do not retain, share, modify, or destroy BuildQM data. If you encounter Confidential, Proprietary, or Personal Data, stop your activities immediately, delete the data from your systems, and contact us immediately.

• Ensure your actions do not violate local, state, or federal laws.

• Avoid any fraudulent activities.

• Must not be considered a minor where you live or have a signed letter proving your parent or legal guardian’s permission to contact us.

• Must not reside in a country currently on the U.S. (OFAC) sanction program.

• Keep any vulnerabilities you discover confidential and refrain from disclosing them to third parties or making them public.

• By complying with these guidelines and responsibly reporting your findings, BuildQM commits to not pursuing legal action against you, except where required by law, regulatory authorities, or third parties.
  

  Exclusions from Scope

• Issues related to SPF/DKIM/DMARC records.

• Clickjacking/UI redressing vulnerabilities.

• Vulnerabilities that affect outdated browsers or platforms.

• Theoretical risks without a practical proof of concept.

• Findings from automated vulnerability scanners without demonstrable impact.

• Use of libraries with known vulnerabilities without demonstrable impact.

• Non-sensitive key disclosures.

• Issues related to SSL/TLS cipher suites or protocols.

• Tab-nabbing and Self-XSS.

• Content spoofing and mixed content warnings.

• Lack of CSRF tokens or CSRF with minimal security impact.

• Missing security headers.

• XSS related to HTTP Host/Referer Headers.

• Host header injection without demonstrable impact.

• Missing or inadequate cookie security flags.

• Content/text injection mitigated by CSP Headers.

• CORS issues discovered on websites that do not impact endpoints exposing sensitive information

• User enumeration.

• Physical attempts against BuildQM property.

• Social engineering against BuildQM or its customers.

• Phishing attempts against BuildQM or its customers.

• Public file or directory disclosures or internal IP exposures.

• Reports regarding assets not owned by BuildQM.

• Attacks requiring physical access to a BuildQM device.

• Disclosures of software versions. 

How to Report a Security Vulnerability to BuildQM

If you've identified a potential security vulnerability in any of BuildQM's products, systems, services, or assets, we highly encourage you to report it to help maintain our digital security.

To report a vulnerability, please follow these steps:

1. Prepare Your Report: Include details such as the nature of the vulnerability, how it was discovered, its potential impact, and any replicable steps or code.

2. Well-written reports in English will have a higher probability of resolution.

3. Reports that include proof-of-concept code equip us to triage better.

4. Reports with only crash dumps or other automated tool output may receive lower priority.

5. Reports that include products outside the initial scope list may receive lower priority.

6. Please include how you found the bug, the impact, and any potential remediation.

7. Secure Communication: Email your findings to security@buildqm.com

8. Collaborate With Us: We may reach out for further information. Your cooperation will help speed up the resolution process.

9. Maintain Confidentiality: Please only disclose information about the vulnerability once it has been resolved. We respect your confidentiality and expect the same in return for protecting our users and systems.

What to Expect from Us

• While we don't offer a monetary reward, we recognize the value of community contributions.

• Our team will evaluate your report thoroughly and may contact you for additional details.

• We will inform you about the status of your reported issue when possible.

• If we cannot resolve communication issues or other problems, BuildQM may bring in a neutral third party to assist in determining how best to handle the vulnerability.

Anonymous Reporting

BuildQM accepts anonymous reporting to ensure concerns can be raised without fear of retaliation.

Disclaimer

BuildQM's security processes and policies are subject to change without prior notice. Any use of the information provided herein is at your own risk. BuildQM reserves the right to act against any individual or entity engaging in harmful, malicious, unlawful, offensive, or abusive activities or violating any rights.