Security

Vulnerability disclosure policy

Guidance for responsibly reporting suspected security vulnerabilities.

StatusDeck for Jira Cloud Last updated: 12 July 2026

Reporting

Email reports to support@qtilabs.com with the subject StatusDeck Security Report.

Include

  • Description of the suspected vulnerability
  • Affected component or page
  • Reproduction steps
  • Potential impact
  • Proof of concept that does not expose customer data
  • Your contact details and preferred disclosure timeline

Safe-harbour expectations

Good-faith research should avoid privacy violations, data destruction, persistence, denial of service, social engineering, automated high-volume scanning, access to unrelated customer data and public disclosure before remediation.

Our process

  1. Acknowledge receipt.
  2. Triage severity and reproducibility.
  3. Investigate and contain where necessary.
  4. Develop and validate remediation.
  5. Coordinate notifications and disclosure.
  6. Conduct post-incident review where appropriate.

Not a bug bounty

This policy does not create a paid bug-bounty programme or guarantee compensation. Any recognition or reward is at QTI Labs' sole discretion.

Effective date: upon first public availability of StatusDeck on the Atlassian Marketplace. Review at least annually and after material product, scope, storage, subprocessor, security or legal changes.