Introduction

NorthQuinn recognizes that the security research community plays a critical role in identifying vulnerabilities before adversaries do. This policy provides a framework for researchers to report potential security issues to us in good faith, with clear expectations on both sides.

This VDP is the policy referenced in Section 4 of NorthQuinn's Terms and Conditions, which carves out good-faith security research from the general prohibition on probing or testing NorthQuinn systems. Research conducted in accordance with this policy constitutes "expressly authorized" activity under those Terms.

Scope

The following systems and assets are in scope for security research under this policy:

• northquinn.com — primary website including all subdomains
• NorthQuinn web infrastructure — publicly accessible web applications and APIs operated by NorthQuinn Inc.
• NorthQuinn DNS infrastructure — DNS records and configurations attributable to northquinn.com

Any asset or system not explicitly listed above is out of scope. Client systems, client networks, and any system where NorthQuinn operates as a third-party service provider are strictly out of scope regardless of any technical connectivity to NorthQuinn infrastructure.

Rules of Engagement

To qualify for safe harbor protections under this policy, research must comply with all of the following:

• No data access beyond proof of concept. Stop immediately upon confirming a vulnerability. Do not extract, copy, modify, delete, or retain any data beyond what is necessary to document the vulnerability.
• No service disruption. Testing must not degrade or interrupt the availability of NorthQuinn services or affect other users. Denial-of-service testing, load testing, and volumetric attacks are prohibited.
• No social engineering. Do not attempt to manipulate, deceive, or phish NorthQuinn personnel, contractors, or customers.
• No physical access testing. Physical security testing of NorthQuinn facilities or hardware is not authorized under this policy.
• No third-party systems. Do not attack cloud providers, hosting infrastructure, or other third-party services used by NorthQuinn.
• Report promptly. Submit findings as soon as reasonably practicable after discovery. Do not withhold or delay disclosure to conduct additional testing beyond what is necessary to characterize the vulnerability.
• Keep it confidential. Do not disclose the vulnerability to any third party, publish it, or discuss it publicly prior to NorthQuinn's confirmation of remediation or explicit written consent to disclose.

Out of Scope

The following categories of findings are explicitly out of scope and will not qualify for safe harbor protections:

• Volumetric denial-of-service attacks or rate-limit bypasses designed to degrade service
• Social engineering, phishing, or physical intrusion attempts
• Attacks against NorthQuinn's users, clients, or customers
• Findings derived from automated scanning tools without manual validation (unvalidated scanner output)
• Missing security headers where there is no demonstrated exploitability
• Self-XSS or attacks requiring physical access to an authenticated victim's device
• Clickjacking on pages without sensitive actions
• Reports of outdated software versions without demonstrated exploitability in the NorthQuinn context
• Attacks against third-party services integrated with northquinn.com (report those to the relevant vendor)
• Previously known vulnerabilities already reported or under active remediation

Submission Process

Submit vulnerability reports to:

Your report should include, at minimum:

• A clear description of the vulnerability type (e.g., XSS, SSRF, privilege escalation)
• The affected asset, URL, or endpoint
• Step-by-step reproduction instructions
• Proof of concept (screenshot, HTTP request/response, or video) demonstrating the vulnerability without exfiltrating real data
• Your assessment of potential impact
• Your contact information for follow-up

Submissions that omit reproduction steps or proof of concept may be closed without action pending additional information.

NorthQuinn's Response Commitments

NorthQuinn will keep you informed of remediation progress. If a vulnerability requires extended remediation time due to complexity or third-party dependencies, we will communicate that proactively and negotiate a coordinated disclosure timeline with you.

NorthQuinn does not offer a paid bug bounty program at this time. We commit to good-faith engagement, timely response, and public acknowledgment (with your consent) for validated findings.

Safe Harbor

NorthQuinn will not pursue civil or criminal legal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy. We consider good-faith security research under this VDP to constitute authorized access under the Computer Fraud and Abuse Act (18 U.S.C. § 1030) and analogous state statutes.

Safe harbor under this policy is conditioned on strict compliance with the Rules of Engagement in Section 3. Research that exceeds the scope of this policy, accesses data beyond what is necessary for proof of concept, disrupts services, or involves social engineering does not qualify for safe harbor protections regardless of the researcher's stated intent.

NorthQuinn's safe harbor commitment covers only research on in-scope assets as defined in Section 2. It does not extend to third-party assets, client systems, or any system not expressly listed as in scope.

If you are uncertain whether a particular research activity falls within this policy, contact us before proceeding. We will respond within 3 business days.

Recognition

NorthQuinn will publicly acknowledge researchers who report validated vulnerabilities, with the researcher's consent, on a Hall of Thanks to be maintained at this URL. Acknowledgment is at NorthQuinn's discretion and is contingent on the report meeting the criteria in Section 5 and compliance with the Rules of Engagement in Section 3.

Researchers who wish to remain anonymous will have that preference honored.

Contact