Report Security and Privacy Issues

Security at HiRoad: Responsible Disclosure Policy

At HiRoad, we are committed to the security and privacy of our customers' data. We believe that a robust security posture is built on collaboration, and we appreciate the help of the global security research community in identifying potential vulnerabilities.

If you believe you’ve found a security vulnerability in a HiRoad product or service, we want to hear from you.

Our Commitment to You

If you follow the guidelines of this policy when reporting an issue to us, we commit to:

  • Acknowledge receipt of your report in a timely manner.

  • Investigate and validate the report promptly.

  • Communicate openly about the timeline for a fix.

  • Safe Harbor: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith while following these guidelines.

Guidelines for Researchers

To remain compliant with this policy, we ask that you:

  • Avoid Privacy Violations: Do not access, modify, or destroy data belonging to HiRoad customers.

  • No Disruptions: Do not perform Denial of Service (DoS) attacks or any testing that might degrade our services.

  • Confidentiality: Give us a reasonable amount of time to fix the issue before sharing any information publicly.

  • No Social Engineering: Do not target HiRoad employees or contractors with phishing or physical security attacks.

Scope

The following domains and applications are considered in-scope:

  • *.

    hiroad.com

  • *.quanata.com

  • *.blueowl.xyz

  • The HiRoad Mobile App (iOS & Android)

Note: Third-party services integrated with HiRoad are generally out-of-scope. Please report those directly to the respective vendors.

How to Report a Vulnerability

Please send your findings to

responsible-disclosures@quanata.com. To help us triage your report quickly, please include:

  1. A clear description of the vulnerability.

  2. Step-by-step instructions to reproduce the issue (PoC).

  3. The potential impact if exploited.

  4. Your contact information (optional, if you wish to be credited).

What We Are Looking For

We are particularly interested in high-impact vulnerabilities, such as:

  • Cross-Site Scripting (XSS)

  • SQL Injection (SQLi)

  • Authentication or Authorization flaws

  • Remote Code Execution (RCE)

  • Significant Data Leaks (PII)