Qdabra

About

Qdabra Software Vulnerability Disclosure Policy

Last updated: June 19, 2026

Our commitment

Qdabra Software (Autonomy Systems LLC, dba Qdabra Software) takes the security of our products and our customers seriously. We welcome reports from security researchers, customers, and members of the public about potential vulnerabilities in our software and services. This policy explains how to report a vulnerability to us and what you can expect in return.

Scope

This policy applies to security vulnerabilities in Qdabra products and the services we operate, including:

  • FormsViewer (On-Prem and hosted components)
  • FormsDesigner
  • qRules
  • Central Flows
  • Qdabra PDF
  • DBXL
  • The qdabra.com website and the Qdabra Support Portal

The following are out of scope:

  • Findings in third-party software, libraries, or services that we incorporate but do not develop (please report those to the relevant vendor)
  • Vulnerabilities in a customer's own configuration, hosting environment, or SharePoint tenant
  • Reports that require social engineering, physical access, or denial-of-service testing
  • Volumetric, spam, or automated scanner output with no demonstrated security impact

How to report

Send your report to security@qdabra.com.

To help us assess and reproduce the issue quickly, please include:

  • A description of the vulnerability and its potential impact
  • The product or service affected, and the version if known
  • Step-by-step instructions to reproduce it, including any proof-of-concept
  • Any relevant logs, screenshots, or configuration details

If you need to share sensitive information, ask us in your first message and we will arrange a secure method.

What you can expect from us

  • Acknowledgment of your report within 7 business days.
  • An initial assessment, including a severity determination and whether we can reproduce the issue, within 10 business days.
  • Status updates at reasonable intervals, and when there is a material change, until the issue is resolved.
  • Remediation as quickly as is practical, prioritized by severity and complexity. We will let you know when a fix is released.

Coordinated disclosure

We are committed to fixing valid vulnerabilities promptly and to working with reporters on timing. We ask that you give us a reasonable opportunity to remediate before disclosing publicly, generally 90 days from our acknowledgment, and that you coordinate any public disclosure with us. We are happy to credit reporters who wish to be acknowledged.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue. Good faith means, among other things, that you avoid privacy violations, do not access or modify data beyond what is necessary to demonstrate the vulnerability, do not degrade our services, and do not disclose the issue publicly before we have addressed it. This policy does not authorize action that is inconsistent with applicable law.

No monetary reward

Qdabra does not currently operate a paid bug bounty program. We deeply appreciate responsible reports and will gladly provide public acknowledgment to reporters who request it.

Questions

For questions about this policy, contact us at security@qdabra.com.

Copyright © 2006-2018 Autonomy Systems, LLC. All rights reserved.