← Back to QNSPsecurity@cuilabs.io

Research

Security research, vulnerability disclosure, technical publications, and live evidence for the Quantum-Native Security Platform.

Research Mission

QNSP research focuses on advancing the state of post-quantum cryptography (PQC) transition, crypto-agility, evidence-based security, and secure AI orchestration with confidential computing enclaves.

Research scope:

  • Post-quantum cryptographic protocols and migration strategies
  • Cryptographic posture enforcement and policy-driven security
  • Tamper-evident audit systems with Merkle tree checkpoints
  • Confidential computing and enclave orchestration for AI workloads
  • Searchable symmetric encryption (SSE) and encrypted data workflows
  • Downgrade detection and remediation for cryptographic protocols

We do not conduct offensive security research or publish exploits for third-party systems.

Vulnerability Disclosure & Reporting

How to Report Security Issues

If you discover a security vulnerability in QNSP, please report it to:

Email: security@cuilabs.io

Please include the following in your report:

  • Detailed description of the vulnerability
  • Steps to reproduce (proof-of-concept)
  • Affected components and versions
  • Potential impact assessment
  • Suggested remediation (if applicable)

Safe Harbor & Rules of Engagement

We support responsible disclosure and will not pursue legal action against researchers who:

  • Report vulnerabilities in good faith
  • Avoid privacy violations, data destruction, and service disruption
  • Do not test against systems you do not own or have permission to test
  • No denial-of-service
  • Do not exploit vulnerabilities beyond proof-of-concept validation
  • Allow us reasonable time to remediate before public disclosure

Disclosure Timeline

  • Acknowledgment: Within 48 hours of report submission
  • Initial assessment: Within 5 business days
  • Remediation target: 90 days for critical/high severity; 180 days for medium/low
  • Public disclosure: Coordinated with reporter after fix deployment

Credit Policy

We acknowledge security researchers in our advisories (unless anonymity is requested).

Security Advisories

QNSP publishes security advisories for vulnerabilities affecting production deployments. Each advisory includes:

  • Advisory ID (e.g., QNSP-SA-2026-001)
  • Severity rating (Critical / High / Medium / Low)
  • Affected components and versions
  • Fixed versions and mitigation guidance
  • Detection evidence (how to confirm exposure)

No security advisories have been published yet. This section will be updated as advisories are released.

Publications & Technical Notes

QNSP Whitepaper

Comprehensive technical overview of the Quantum-Native Security Platform architecture, cryptographic posture enforcement, and evidence-based audit systems.

View Documentation →

PQC Migration & Crypto-Agility

Technical notes on post-quantum cryptography transition strategies, algorithm lifecycle management, and crypto-agility patterns for production systems.

View Documentation →

Tamper-Evident Audit Architecture

Design and implementation of hash-chained audit events, Merkle tree checkpoints, and cryptographic commitment schemes for verifiable audit trails.

View Documentation →

Live Evidence Endpoints

QNSP provides live evidence endpoints that return cryptographic posture and runtime signals from the hosted production environment. Responses can be used for audit collection and operational monitoring.

PQC-TLS Evidence

Endpoint: GET /platform/v1/crypto/tls/evidence/public

What it proves: Edge TLS policy compliance and negotiated hybrid key exchange groups (e.g., X25519MLKEM768) on production ALB listeners.

Collection method: Parses ALB connection logs from S3 and extracts the negotiated TLS key exchange group and policy signals.

Scheduled canary: Automated validation runs every 15 minutes via EventBridge, confirming X25519MLKEM768 negotiation and writing evidence to S3.

Trust assumptions: Evidence is derived from AWS ALB connection logs; integrity depends on S3 bucket access controls and IAM policies.

Cryptographic Posture

Endpoint: GET /platform/v1/crypto/posture/public

What it proves: Platform-wide cryptographic inventory including active algorithms, key material origins, and policy compliance status.

Full posture details require authentication. Contact security@cuilabs.io for access.

Research Areas

Post-Quantum Cryptography

NIST-finalized algorithms (ML-KEM (formerly Kyber), ML-DSA, SLH-DSA), migration strategies, and crypto-agility patterns for production systems.

Cryptographic Policy Enforcement

Tenant-scoped algorithm allowlists, HSM integration, and deterministic policy evaluation with audit evidence.

Crypto Inventory & CBOM

Cryptographic Bill of Materials (CBOM) generation, algorithm lifecycle tracking, and compliance assessment automation.

Confidential Computing

Enclave orchestration for AI workloads, attestation-based verification, and secure multi-party computation patterns.

Tamper-Evident Audit Systems

Hash-chained events, Merkle tree checkpoints, cryptographic commitments, and verifiable audit trails.

Downgrade Detection & Remediation

Protocol downgrade detection, automated remediation workflows, and continuous cryptographic posture monitoring.

Questions about QNSP security research or vulnerability disclosure?

Contact Security Team