If you discover a security vulnerability in QP Conduit, please report it responsibly.

Email: security@quantumpipes.com

What to include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Response timeline:

• Acknowledgment within 48 hours
• Initial assessment within 7 days
• Fix or mitigation plan within 30 days

Security reports are accepted for:

• DNS spoofing or cache poisoning via dnsmasq misconfiguration
• TLS certificate generation or validation bypass
• Routing manipulation (sending traffic to unintended backends)
• Container escape or inspection privilege escalation
• Command injection or code execution vulnerabilities
• Health check spoofing (reporting healthy when degraded)
• Input validation bypass
• Log tampering or audit evasion

• Caddy core vulnerabilities (report to the Caddy project)
• dnsmasq core vulnerabilities (report to the dnsmasq project)
• Docker engine vulnerabilities (report to Docker)
• Social engineering attacks
• Denial of service via resource exhaustion

QP Conduit follows these security principles:

• Internal TLS certificates generated by Caddy's built-in CA (no self-signed workarounds)
• DNS resolution restricted to internal service names only
• All reverse proxy routes require a passing health check before receiving traffic
• Container inspection uses read-only Docker socket access
• Input validation rejects all characters outside [a-zA-Z0-9_.-]
• Zero use of eval in the entire codebase
• set -euo pipefail in every script
• GPU and hardware metrics collected via read-only system interfaces
• No secrets stored in configuration files (environment variables only)
• All monitoring endpoints are internal-only, never exposed externally

Copyright 2026 Quantum Pipes Technologies, LLC.