Security Policy & Responsible Disclosure

How to report a security vulnerability to Qwayk, what’s in scope, and what you can expect from us.

Qwayk

Summary (plain English)

If you believe you’ve found a security vulnerability in Qwayk’s tools, documentation, or website, please report it responsibly. We’d rather receive a private report than learn about an issue from a public post.

Report a vulnerability

Email: security@qwayk.com

If you accidentally include secrets in a report, tell us as soon as possible so we can help you rotate them.

Please do not send:

  • passwords, API keys, access tokens, private keys, or other secrets
  • personal data about other people

Include:

  • what you found and why it’s a security issue
  • steps to reproduce (as safely as possible)
  • affected pages/files/commands and versions (if known)
  • any proof-of-concept code (if applicable)

Please include:

  • the URL(s) affected (for website issues)
  • timestamps and your IP address (optional; helpful for log correlation)
  • screenshots or short screen recordings (optional; helpful for UI issues)

Scope

In scope (examples):

  • Qwayk public website configuration and theme/templates we publish
  • Qwayk tooling repos and release artifacts

Out of scope (examples):

  • security issues in third-party services we don’t control (Ghost(Pro), Stripe, GitHub, Cloudflare, etc.)
  • social engineering, spam, and denial-of-service attacks

If you believe you’ve found a vulnerability in the Ghost(Pro) platform itself (not a Qwayk theme/config issue), please report it to Ghost directly. You may also CC security@qwayk.com so we can track any Qwayk impact.

Please do not

  • Access data that is not yours.
  • Attempt destructive actions or write operations against real third-party accounts.
  • Publicly disclose the issue before we have a chance to investigate.

Safe harbor (good-faith research)

We support good-faith security research. If you follow this policy, we will not intentionally pursue legal action against you for your research.

This safe-harbor statement does not limit anyone’s rights or obligations under applicable law.

This does not cover:

  • social engineering (phishing, pretexting, impersonation)
  • denial-of-service attacks
  • physical attacks
  • accessing or modifying data that is not yours

What you can expect from us

  • We aim to acknowledge receipt within 3 business days.
  • We’ll work to validate and remediate (best-effort; no SLA).

We do not currently offer a paid bug bounty program.

security.txt

We aim to publish a security.txt file at:

  • /.well-known/security.txt, and
  • /security.txt

The repo source of truth for its contents is: pages/security.txt (the domain and expiry must match the live site).

If the Ghost theme cannot serve /.well-known/security.txt, we will use a Ghost redirect as a fallback and verify the final URLs on the live domain. If the theme route still does not work, we will contact Ghost support (Ghost(Pro)) for guidance on serving the well-known path.

Deployment requirements (to reach “launch-ready”)

  • Before deploying security.txt, confirm the domain and URLs match the live site (qwayk.com).
  • Keep the Expires: field current (set a date you will actually renew on schedule).
  • After deployment, verify both endpoints return the expected content:
  • https://qwayk.com/.well-known/security.txt
  • https://qwayk.com/security.txt