Cybersecurity policy

⚠ Placeholder document

This Security policy is a placeholder for the Beta period. The final version is pending review by legal counsel and will be aligned with the EU Cyber Resilience Act (CRA) before its September 2026 enforcement date. For any urgent security questions, contact info@aec.codes.

AEC.codes (MAW EOOD) maintains a coordinated vulnerability-disclosure programme for the QTO add-in and the surrounding website infrastructure. This page summarises our policy in line with the EU Cyber Resilience Act (CRA), effective 11 September 2026.

Reporting a vulnerability

If you believe you have found a security vulnerability in the QTO add-in or in aec.codes/qto/:

Report a security issue (preferred channel) — describe the issue and steps to reproduce.
Do not disclose publicly until we have had a reasonable opportunity to investigate and remediate.
We aim to acknowledge receipt within 72 hours.

Scope

The QTO add-in DLLs distributed via AECcodes-QTO-Setup.exe.
The websites aec.codes and aec.codes/qto/.
The version-check endpoint aec.codes/qto/version.json.

Out of scope

Third-party Revit components or Autodesk infrastructure.
Unrelated subdomains of aec.codes not listed above.

Update channel

Security fixes are shipped through the regular update channel. The add-in checks aec.codes/qto/version.json once per session and surfaces an in-app notification when a newer release is available. End-users are responsible for installing offered updates.

Vulnerability disclosure

Once a vulnerability is confirmed and remediated, we publish an entry in the Changelog describing the affected versions and the fix.

This Beta 1 security policy is provisional. Last updated 2026-05-19.