VULNERABILITY DISCLOSURE POLICY

Last Updated: March 28, 2026

At Qrystal Partners, we care deeply about the safety and security of our customer's data. This is why we greatly value any inputs from our community that can help us detect vulnerabilities in our product.

1. HOW TO REPORT AN ISSUE

If you have discovered an issue that is not part of our out-of-scope vulnerabilities, please send an email to security[at]qrystaluplink.io with the following details:

  • A summary of the issue and potential impact
  • A breakdown of the steps to replicate the issue
  • Details of the environment you are using
  • If available, any proof-of-concept code to exploit the vulnerability

Upon receiving your email, our team will review and triage the issue based on severity and impact. We may follow up for additional details when needed and may provide status updates at our discretion.

We value your efforts and prioritize valid, actionable vulnerability reports based on severity and impact.

2. FOCUS AREAS

  • Authentication bypass and privilege escalation
  • Exposure of personally identifiable information (PII)
  • Access to data outside of the authenticated workspace
  • SQL injection and remote command execution

3. IN SCOPE

  • Qrystal Uplink web application and supporting services (qrystaluplink.io)
  • Qrystal Uplink API
  • Qrystal Uplink desktop applications (macOS, Windows)

4. OUT OF SCOPE

  • Automated scanning of any kind
  • Social engineering of any kind, in particular Qrystal Partners employees
  • Denial of Service attacks of any kind
  • Attacks requiring physical access to the victim's computer
  • Theoretical attacks without proof of exploitability
  • Man-in-the-middle attacks
  • Clickjacking on pages with no sensitive actions
  • High-privilege users (admins, owners) using a bug to sabotage/deface their own workspace
  • Logic bugs which allow an attacker to bypass limits on free accounts and get access to features on paid plans
  • Missing best practices in HTTP headers (CSP, etc), HTTP cookies, TLS versions / ciphersuites, and DNS configuration (email [SPF / DKIM / DMARC / MTA-STS], CAA, DNSSEC, etc) may be considered informative and may not be prioritized for remediation
  • Ability to send push notifications, SMS messages, or emails without the ability to change content
  • Ability to take over social media pages (Twitter, Facebook, LinkedIn, etc)
  • Negligible security impact
  • Unchained open redirects
  • Reports that software is out of date or vulnerable without a proof-of-concept
  • Vulnerabilities reported by automated tools without additional analysis showing impact
  • Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • SSL/TLS scan reports (for example, output from SSL Labs)
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • CSV injection
  • Protocol mismatch
  • Rate limiting
  • Dangling IPs
  • Vulnerabilities that cannot be used to exploit other users or Qrystal Partners (for example, self-XSS or having a user paste JavaScript into the browser console)
  • Reports that affect only outdated user agents; we only consider exploits in the latest browser versions for Safari, Firefox, Chrome, Edge, and IE
  • Path disclosure
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • If a site is abiding by the privacy policy, there is no vulnerability
  • Enumeration and account oracles
  • Account oracles, such as submitting a phone number, email, or UUID and receiving a message indicating an account exists

5. WE KINDLY ASK YOU

  • Only test the vulnerability on your own account or with explicit permission from the account holder.
  • Make a good faith effort to avoid privacy violations, copying or destruction of data, and interruption or degradation of our service.
  • If you obtain remote access to our systems, do not attempt to expand or elevate access to other servers.
  • To prevent further exploitation, please do not make the vulnerability public before reporting it to us, and give us adequate time to address the issue.

6. THE DOs

  • Do respect privacy & make a good faith effort not to access, process or destroy personal data.
  • Do be patient & make a good faith effort to provide clarifications to any questions we may have about your report.
  • Do be respectful when interacting with our team, and our team will do the same.
  • Do perform testing only using accounts that are your own personal/test accounts.
  • Do exercise caution when testing to avoid negative impact to customers and the services they depend on.
  • Do stop whenever unsure. If you think you may cause, or have caused, damage with testing a vulnerability, report your initial finding(s) and request authorization to continue testing.

7. THE DO NOTs

  • Do not leave any system in a more vulnerable state than you found it.
  • Do not brute force credentials or guess credentials to gain access to systems.
  • Do not participate in denial of service attacks.
  • Do not upload shells or create a backdoor of any kind.
  • Do not publicly disclose a vulnerability without our explicit review and consent.
  • Do not engage in any form of social engineering of Railway employees, customers, affiliates or partners.
  • Do not engage or target any Railway employee, customer, or partner during your testing.
  • Do not attempt to extract, download, or otherwise exfiltrate data that may have Personal Identifiable Information or other sensitive data other than your own.
  • Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.
  • Do not do anything that would be considered a privacy violation, cause destruction of data, or interrupt or degrade our service.
  • Do not interact with accounts you do not own.

8. SAFE HARBOR

To the extent permitted by applicable law, activities conducted in good faith and in a manner consistent with this policy are intended to be treated as authorized conduct. We do not intend to initiate legal action for such activities.

9. ATTRIBUTION

This vulnerability disclosure policy has been adapted from Linear.app's security policy and Railway's security policy.

10. CONTACT INFORMATION

Entity: Qrystal Partners (Mikayel Grigoryan, Individual Entrepreneur)

Email: security[at]qrystaluplink.io

Location: Yerevan, Armenia