QRCodeKey is a real-time GPS tracking platform that uses QR codes. You generate a QR code, attach it to anything (person, pet, vehicle, asset), and when someone scans it, you get the exact GPS location instantly.

How does QR code GPS tracking work?

Generate a QR code on QRCodeKey, print and attach it. When anyone scans the QR code with their phone camera, their GPS location is captured and sent to your dashboard in real-time with coordinates, city, and timestamp.

Is QRCodeKey free to use?

Yes, QRCodeKey offers a free plan with basic QR code tracking. Premium plans are available for businesses needing bulk QR codes, team management, and advanced analytics.

Can I use QRCodeKey for attendance tracking?

Yes, QRCodeKey has built-in attendance management with GPS-verified check-ins. Create groups for schools, offices, or organizations and track attendance with QR code scanning.

← Home

Security disclosure policy

Last updated: 2026-05-10. RFC 9116 reference: /.well-known/security.txt.

How to report a vulnerability

Email info.qrcodekey@gmail.comwith the subject "Security vulnerability report". Please include:

A clear description of the issue and its impact
Step-by-step reproduction instructions, or a working PoC
The URL or API endpoint affected
Whether you believe any user data is currently at risk
How you would like to be credited (real name, handle, or anonymous)

We respond within 48 hours with acknowledgement. We aim to ship a fix within 30 days for critical-severity issues, 60 days for high, 90 days for medium / low. If we need more time we will tell you why and propose a revised timeline.

In scope (we definitely want to know)

Authentication / authorisation bypass
PII exposure of any user, member, visitor, or finder
GPS-coordinate leakage outside the recorded scan event
SQL / NoSQL / command injection
Stored or reflected XSS in any authenticated context
SSRF, RCE, or any pre-auth vulnerability
Data-subject-rights bypass (Terms Section 9G)
Cross-tenant data exposure (one customer seeing another)
Bypass of the 24-hour group-deletion cooling-off (Terms 9C.8)
Bypass of the WhatsApp / SMS opt-in / STOP keyword flow

Out of scope

We appreciate the heads-up but these don’t qualify for credit:

Social-engineering of staff or vendors (Stripe, MongoDB Atlas, etc.)
Issues in third-party services — please report to them directly
Missing security headers without a clear exploit
Self-XSS that requires a victim to paste code into their console
Rate-limit reports without a working PoC at the API layer
Outdated software versions that aren’t actually vulnerable in our config
Attacks requiring physical access to a victim’s device
Reports about email / DMARC spoofing without a working impact PoC

Safe harbour

Provided you make a good-faith effort to comply with this policy, we will:

Not pursue or support legal action against you for security research that complies with this policy.
Work with you to understand and resolve the issue quickly.
Credit you publicly with your permission (Hall of Fame below).

Please do not access, modify, or delete data that does not belong to you. Stop testing as soon as you have a working PoC and report it to us. Do not publicly disclose before we have had a reasonable chance to fix.

Do you pay a bounty?

QRCodeKey is currently a small, founder-led company and we do not run a paid bug-bounty program yet. We deeply appreciate every responsible disclosure and will recognise contributions on the Hall of Fame below. If we launch a paid bounty in the future we will announce it on this page.

Hall of Fame

Researchers who have helped us harden QRCodeKey through responsible disclosure. Listed in order of first valid report.

No reports yet — will you be the first?

PGP / encrypted email

For sensitive disclosures requiring encryption, please request our PGP key by emailing the address above with the subject "PGP key request". We will respond with our current public key and fingerprint.

Thank you for helping keep QRCodeKey — and our customers — safe.