Quill forces HTTPS for all services using TLS (SSL), including our public website. Our apps only connect with our API over TLS.
We use HSTS to ensure that browsers interact with Quill only over HTTPS. We're also in the process of becoming members of the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
All data are encrypted at rest with AES-256. Decryption keys are stored on separate machines. In addition, all data are encrypted in transit.
We don't currently offer a reward program, but we plan on offering one in the future. We do however have a vulnerability disclosure program.
By submitting a security bug or vulnerability to Quill via HackerOne, you acknowledge that you have read and agreed to the Program Terms and Conditions set forth below. By providing a submission, you agree that you may not publicly disclose your findings or the contents of your submission to any third parties without Quill's prior written approval.
You are about to submit a report to Quill via HackerOne. Detailed and quality reporting is important to Quill. You must include a working Proof of Concept.
Your participation in our program is voluntary and subject to the below terms and conditions:
Furthermore, Quill does not consider the following to be eligible vulnerabilities: