QEHSReporting
Email anil@heftyinnovations.com with reproduction steps, affected endpoints, and any proof-of-concept. Encrypted submissions are welcome — our PGP key fingerprint is published at /.well-known/security.txt.
We acknowledge reports within 2 business days and target an initial triage within 5 business days. Critical findings are handled 24×7.
Scope
In scope
- • qehsethos.com and any *.qehsethos.com property
- • The QEHS production application (app.qehsethos.com) and tenant subdomains
- • Public APIs under api.qehsethos.com
- • The QEHS mobile apps (iOS / Android, latest versions)
- • Marketing site, docs site, status page
Out of scope
- • Denial-of-service or volumetric attacks
- • Social-engineering of employees, customers, or vendors
- • Physical-security attacks against QEHS facilities
- • Automated scanner output without a demonstrable exploit
- • Issues in third-party services (report to the vendor; copy us)
- • Best-practice recommendations without a concrete impact path
Safe harbour
If you act in good faith, stay within the scope above, do not intentionally exploit beyond what is needed to confirm an issue, and do not access, modify, or exfiltrate customer data, we will:
- Not pursue or support legal action against you.
- Treat your report as authorised under the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act 1990, and analogous laws.
- Work with you to understand the issue, coordinate on timing, and credit you in our release notes if you would like.
Please do not publicly disclose until we have had a reasonable opportunity to remediate — typically 90 days, or sooner if we have already fixed the issue.
Bug bounty (planned)
A formal bounty programme is on our roadmap. Until it opens, we offer discretionary recognition (swag, public credit, occasional cash awards) for high-quality reports.