Quill forces HTTPS for all services using TLS (SSL), including our public website. Our apps only connect with our API over TLS.
We use HSTS to ensure that browsers interact with Quill only over HTTPS. We're also in the process of becoming members of the HSTS preloaded lists for both Google Chrome and Mozilla Firefox.
All data are encrypted at rest with AES-256. Decryption keys are stored on separate machines. In addition, all data are encrypted in transit.
We don't currently offer a reward program, but we plan on offering one in the future. In the interim, please disclose vulnerabilities by chatting with us directly via your support thread ↗