QuadX Inc. Vulnerability Disclosure Policy

Launched in 2015, QuadX is the leading Experience Innovator in the Philippines specializing in cross-border digital logistics and e-commerce payment processing. QuadX is the company behind the following digital platforms: ShippingCart (cross-border shipping service for products from the US and UK to Southeast Asia), CheckMeOut (all-in-one payment and logistics platform for e-commerce businesses), XPost (express pickup and delivery service), PayLink and XPay.

At QuadX, we take your privacy and data security very seriously. We also recognize the importance of collaboration to improve the safety and security of our applications and services through a coordinated disclosure process. 

If you believe you’ve detected a vulnerability within our products we’d like to hear about it. We’ll investigate all reports and do our best to fix these issues as soon as possible.


How to Submit a Vulnerability

To submit a vulnerability report to QuadX’s Product Security Team, please send an email with all the necessary details to [email protected]

QuadX’s Vulnerability Disclosure Program initially covers the following products and services:

  • ShippingCart – *.shippingcart.com
  • CheckMeOut – *.checkmeout.ph
  • Xpost – *.xpost.ph
  • PayLink – *.paylink.com.ph
  • KaberX – *.kaberx.ph
  • QuadX corporate site – *.quadx.xyz

Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our product security team.


Legal Posture

QuadX will not engage in legal action against individuals who submit vulnerability reports through our reporting process, kindly send your security bug submissions to [email protected] We agree not to pursue legal action against individuals who:

  • Engage in the testing of systems/research without harming QuadX or its customers
  • Engage in vulnerability testing within the scope of our vulnerability disclosure program
  • Test on products without affecting customers
  • Adhere to the laws of their location and the location of QuadX. 
  • Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.


The following are strictly prohibited:

  • Denial of Service attacks.
  • Physical attacks against offices and data centers.
  • Social engineering of our service desk, employees or contractors.
  • Compromise of a QuadX user’s or employee’s account.
  • Automated tools or scans, botnet, compromised site, end-clients or any other means of large automated exploitation or use of a tool that generates a significant volume of traffic.


Out of Scope / Known Issues

  • HttpOnly and Secure cookie flags
  • Missing X-Frame or related security headers
  • Account enumeration (ie forgot password error messages)
  • Self XSS
  • Tabnabbing
  • Use of a known library (without proof of exploitability)
  • Vulnerabilities as reported by automated tools without additional analysis as to how they’re an issue.


What we would like to see from you:

  • Well-written reports in English will have a higher chance of resolution.
  • Reports that include proof-of-concept code equip us to better and faster triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.


What can you expect from us:

  • A timely response to your email (usually within 2 business days).
  • After triage, we will update and commit to being as transparent as possible about the remediation timeline as well as issues or challenges that may extend it.
  • An open dialogue to discuss issues.
  • Credit after the vulnerability has been validated and fixed.