← Back to Holistic Quality

Security & Responsible Disclosure

Last updated: April 2026 · Policy expires: April 2027

Contact

To report a security issue affecting any Holistic Quality LLC ("HQ") property, email security@holisticquality.io. Please include steps to reproduce, affected endpoint or property, and the impact you observed. We acknowledge reports within 2 business days and aim to provide a substantive triage response within 5 business days.

Machine-readable security contact information is published at /.well-known/security.txt, following RFC 9116.

Scope

This policy applies to the following properties operated by Holistic Quality LLC:

• holisticquality.io — HQ parent site and canonical legal surface
• aletheia.holisticquality.io — ALETHEIA Chemical Safety API marketing and docs
• api.aletheia.holisticquality.io — ALETHEIA production API, dashboard, and webhook surfaces
• safety.holisticquality.io — HQ Safety Database
• Other subdomains of holisticquality.io operated by HQ

What We Care Most About

The highest-impact findings for us involve:

• Authentication or authorization bypass on the ALETHEIA API (including API-key, admin, and Stripe webhook surfaces)
• Data exposure affecting customer records, API keys, Stripe customer/subscription identifiers, or request metadata
• Remote code execution or SSRF in any serverless handler
• Stripe webhook signature bypass or payment-flow tampering
• Privilege escalation within the admin dashboard
• Rate-limit or quota bypass that could be abused at scale
• Subdomain takeover affecting any property above

Out of Scope

The following are generally not eligible for disclosure rewards and, in most cases, are not vulnerabilities:

• Missing best-practice security headers without a demonstrated impact
• Clickjacking on pages without authenticated state-changing actions
• Denial-of-service attacks, volumetric attacks, or testing that degrades service for others
• Social engineering of HQ staff or customers
• Physical-security or facility-related findings
• Reports from automated scanners without a working proof-of-concept
• Self-XSS or issues requiring already-compromised victim devices
• Outdated third-party library versions without an exploitable vector in our deployment
• Findings on third-party services we use as subprocessors (Cloudflare, Vercel, Upstash, Resend, Stripe) — report those directly to the vendor

Safe Harbor

Holistic Quality will not pursue legal action against researchers who, in good faith:

• Make every effort to avoid privacy violations, service degradation, and data destruction or modification
• Access only the minimum amount of data necessary to demonstrate the vulnerability
• Do not exfiltrate, retain, or share HQ or customer data beyond what is strictly necessary
• Do not test against third-party services without the third party's authorization
• Report the issue to security@holisticquality.io before public disclosure
• Give us reasonable time to investigate and remediate before disclosing the issue publicly

Good-faith research conducted under this policy is authorized, and we will not consider it a violation of our Terms of Service or the Computer Fraud and Abuse Act. If legal action is initiated by a third party against you for activity conducted under this policy, we will make this authorization known.

Coordinated Disclosure

We follow a 90-day coordinated disclosure model. After initial triage, we will:

• Confirm receipt and validity of the report
• Agree on a fix timeline with the reporter — typically within 30 days for High/Critical, 90 days for Medium/Low
• Credit the reporter in the fix changelog if they wish, or preserve anonymity if preferred
• Publish post-fix disclosure on request, or after 90 days from initial report, whichever is earlier, unless mutually extended

Bounty

Holistic Quality does not currently operate a paid bug bounty program. We offer public credit (at the reporter's option) and, where appropriate, merchandise or API-credit acknowledgements. This policy may change; the current status is authoritative until updated here.

Encryption

If you wish to encrypt reports, request our PGP public key by emailing security@holisticquality.io. We can rotate encryption keys on request.

Related Documents

• HQ Data Policy — how we process personal data across the HQ ecosystem
• ALETHEIA Privacy Policy — product-level privacy terms
• ALETHEIA Subprocessors — current subprocessor list (Cloudflare, Vercel, Upstash, Resend, Stripe)
• HQ Terms of Service

Changes to this Policy

We review this policy at each quarterly compliance sweep and publish the "Last updated" date at the top of this page. The Expires field in /.well-known/security.txt is refreshed no less than annually. Material changes are also reflected in the Expires date.