Coordinated disclosure

SECURITYSecurity policy + vulnerability disclosure

SQUR welcomes good-faith vulnerability research. This page is the editorial twin of /.well-known/security.txt (RFC 9116). Authored by Adam Lundqvist, Founder at SQUR.

In scope

kb.squr.ai — this cs-graph knowledge base (Next.js app on Cloud Run + Firestore).
squr.ai — corporate site + the public-facing /asm scanner.
mcp.squr.ai — Model Context Protocol endpoint, when live.
squr CLI + SDK packages on npm.
Any Cloud Run service deployed under the squr-aios-tooling or squr-website-f0785 GCP projects.

Out of scope

Third-party services we embed (Vertex AI, Cloud Run, Firestore IAM, IAP) — report those upstream to Google.
Social-engineering against SQUR staff (phishing, pretexting, vishing).
Physical security at any office or co-working space.
Vulnerabilities requiring local-machine compromise of an authorised user (browser bugs, etc).
Volumetric DDoS — we use Cloud Run's auto-scaling + IAP and welcome reports of bypass paths, not floods.

What to report

Authentication bypass against IAP-gated routes.
Cross-tenant data exposure on shared Firestore collections.
XSS / SSRF / SQL-injection-equivalent attacks against any cs-graph endpoint.
Vulnerabilities in our open-source code at github.com/ibossyNr1/squr-cs-graph.
Supply-chain or dependency vulnerabilities materially affecting the production deploy.
Inaccuracies in the cs-graph that look like data poisoning vs. genuine ingest error.

What we commit to

Acknowledge within 3 business days of receipt.
Initial triage + severity rating within 7 business days.
Coordinated disclosure window: 90 days default, extendable on request if a longer remediation is genuinely needed.
Credit you in /changelog if you wish (or stay anonymous — your call).
No legal action against good-faith research that stays inside scope above.

How to report

Primary channel: security@squr.ai (PGP available on request).
Machine-readable contact: /.well-known/security.txt (RFC 9116).
Encrypted alternative: open a private GitHub Security Advisory on ibossyNr1/squr-cs-graph.
Please include: affected URL or component, reproduction steps, your contact email, optionally a PoC and impact assessment.

Hall of fame

No reports received yet — be the first. Acknowledged researchers will be listed here (with their consent) once we have any to honour.

Why this policy exists. A clear coordinated-disclosure policy is the procurement-checklist baseline buyers (and EU CRA / DORA reviewers) want to see before trusting a cybersecurity vendor. We made ours editorial-readable here and machine-readable at /.well-known/security.txt so both humans and automated scanners get the same answer.

Last reviewed 2026-05-30. Material changes to this policy land in /changelog with a 30-day notice.