Security

Report a
security vulnerability

We take information security seriously and value the contributions of the security community. If you believe you’ve discovered a vulnerability or weakness in one of EQS
Group’s products or services, we encourage you to share it with us responsibly.
Your report helps us maintain the highest standards of trust, transparency, and integrity for thousands of organizations that rely on EQS every day.

If you are a customer of EQS products or applications, please contact your Customer Success’ representative rather than using this process.

If you are a supplier or contractor supplier or contractor of EQS Group, please contact your EQS Group business point

How to report a security or privacy vulnerability

Security is a shared responsibility. EQS Group welcomes reports from external researchers and partners who help us identify and fix potential issues before they can be exploited. We are committed to investigating all legitimate reports and addressing confirmed vulnerabilities as quickly as possible.

Report a vulnerability

To report a security or privacy vulnerability affecting EQS Group’s products, solutions, or IT infrastructure component, please send an email in English to security-vulnerability@eqs.com with the following information:

Details of vulnerability, including a means to reproduce it – for instance, but not limited to, proof-of-concept exploit code, network traces, numbered list of steps to execute, or a video demonstration if the steps may be hard to follow.
Description of the behavior observed as well as the behavior that was expected, if applicable.
The specific affected service, application, or infrastructure component, including version information, if available.
Status of vulnerability (was it already publicly disclosed?)

After submission, you will receive an automatic acknowledgement from us. We will contact you if we require any additional information.

If you wish to use our GPG/PGP key to write to us securely, you can either retrieve the file from this link or copy the following:

PGP PUBLIC KEY BLOCK

—–BEGIN PGP PUBLIC KEY BLOCK—–
mQINBGM9Y3wBEADHFEjjRPFrh1W3yOnfZewMXpWDLyhJNBAYVUDVNoZOxfsCMNwF
h9MT3JiEHdne+vz0+QgIWL6cJYvDKPGbv4ZtCmDYzIZvu1mUN5ebW/QQP/G5t4H7
JLxgS3RCv/CtayTWRDLCUPEuDv9mmv4eD5wi1wF9ryEATjmZ1ZmqRhBhvP1NlXZW
wDvKs4Auf98qO7YPJ+NP4a5kImLLwEfh9AoOLJHQ7h4BI+vjzsAivfA7UPF31PvF
qqUIebYdqczATSKfIMIorx8NHcU2jeqVNQqp23x61RSmpLV+4Dxxg4Lx9eI+k35r
h7k8vyzX5fSU0Z6MyC5DkIijLD7nzz17eIO6Uq1kPwbKudMOYRfY98a7r6bw5mhR
+FeADsNrsYcvdYW20s1AZ2yCYE8uV3FHIMonNs4vde3P6DRpDd7CALF0fAZZ9ygB
ttTgmC5+aNytPNk5a76KX2jfyxtKR6MliYzlAiTMP7Cp1vrQTjSygq7ddXhPcxNP
PbOGcdOWTTIZdVysE7F1uqCoME4pK+qwF1NXt0FCz8ed8GHAymNb/sdTGxzz8kXz
HxY6361jxiiXvSW/7sLE18oCfQn0Nd4FwikoeW373cW/yqrI5uAsIc3DQ2h7mSBq
5Q1zsW3NYrALiuv1Fb0oqWGvEzWvuBBhuCXbErFRnsTFE3uNjPzlb//7EQARAQAB
tHxzZWN1cml0eS12dWxuZXJhYmlsaXR5QGVxcy5jb20gUlNBKFJlcG9ydGluZyBv
ZiBTZWN1cml0eSBWdWxuZXJhYmlsaXRpZXMgdG8gRVFTIEdyb3VwIC0gUlNBKTxz
ZWN1cml0eS12dWxuZXJhYmlsaXR5QGVxcy5jb20+iQJUBBMBCAA+FiEEKIaE9NYQ
AHL7NvSiJ/WcX/JWtyAFAmM9Y3wCGy8FCQPDuDUFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQJ/WcX/JWtyBqJhAAqhIZc0Xgo7qOKAquAYZM8pn/WTWcqFkC0tde
7iaSXaGQs6kLLccWY9e6iPvgtkjeIP9+bu4FsM9LuNCtn/MoJrdjyCo8BFEBNuC2
Nq2f4bdEcXxaQmNbSwn2pkjlv02I8CaNA+ruLln293A5doGyFdhq6Ep8YVzneQqm
oL0APptcStAUYcTaaf5thoyCHyXNBrhbiWzLNfEZop7sXC1knAaAQM9AMTOCjvQe
TWiT/6lYDNUVbyuRymLE0zt/Jtd/wEIqaTln8hRtBy1jnqz4FaJRbISx2bT/62vD
/IZYqHEpI4Mkn649+3cIR7yqm0aXjDT8+vT/uqIaVtBl1H6zC4xZp0b5NZJHFoHp
dtYOKZdgvPhvcdDJ1IpHp21aZn5ck5HSJWQs5JwZaIhCNVVIOb5v9czJSQGNG2/Y
fZLL9F6xIy3yV82e00e9s2R2V3eQ5fIyY7/tOsgItcEG+Mwq5mhPE11bn0d2iu2B
t8WifuBy5wokERD9YcwbW3pD9J4UyGsYzr5jaXybDlNFTf4hYhnyOE9wiRy4ipPk
cQeTtQrdIW4lcJE31ohp5UUC/pRk+jtxE4j+PYzEvGW2tQOEIY1W8u9HYVx4jSJ3
AWaBwGCK0rLZMYpX7nbd2AT+5rMOhiH+catKbLgVUezFbQDtCXtPpeLq8xz8CCEn
w619OBM=
=xdA6
—–END PGP PUBLIC KEY BLOCK—–

How EQS Group handles reports

Once we receive your report, the EQS Information Security team follows a defined process to ensure a transparent and efficient response

Acknowledgement: You’ll receive an automated confirmation that your report was received.
Initial Review: Our team assesses the report to verify its validity and impact.
Remediation: If confirmed, we assign priority and work to resolve the issue promptly.
Communication: We keep you updated throughout the process and may reach out for clarification or collaboration.
Disclosure: After resolution, we publish a summary in our Security Advisories section and, if you wish, credit your contribution.

Important Notes

We ask you to act in good faith and avoid accessing or modifying data you do not own.
Do not use automated scanners that could degrade service performance.
If you accidentally access personal data, stop testing immediately and notify us.
We may take legal action against reports that violate laws or are performed in bad faith.

Known Advisories

CVE/Link: CVE-2022-34007

Title of CVE

EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry.

Description

A version of the software that does not allow XSS attacks has been deployed in January 2022. The vulnerability has been discovered through one of our recurring internal penetration test.

However, for a mistake, the corrected software was not being deployed to some customer. This has been identified by the reported in July 2022. Since then, we have deployed the corrected software to all of our customers.

We have put measures in place to avoid further mistakes in the software distribution to be repeated.

What should customers do?

Customers need not take any action. Integrity Line Professional is already patched and secure.

Credit

Thanks to Giovanni Pellerano for responsibly disclosing the vulnerability.