Report a security vulnerability

EQS Group welcomes ethically reported vulnerability reports from researchers, industry groups, CERTs, customers and partners, among other sources. A non-disclosure-agreement is not required as a prerequisite for submitting reports. We encourage third-party vulnerability disclosures, provided they act in good faith.

If you believe you have discovered a security or privacy vulnerability in any of EQS Group’s product, service, or IT infrastructure, please report to us.

This page is not for you if…

You are a customer of EQS Group’s products or applications and require technical support. Please contact your Customer Success’ representative rather than using this process.
You are a supplier or contractor of EQS Group who need technical support. Please contact your EQS Group business point

How to report a security or privacy vulnerability

Before going through the official process to submit a vulnerability issue, we urge you to look into the list of known advisories and familiarize yourselves with our Public Vulnerability Disclosure Policy.

To report a security or privacy vulnerability affecting EQS Group’s products, solutions, or IT infrastructure component, please send an email in English to security-vulnerability@eqs.com with the following information:

Details of vulnerability, including a means to reproduce it – for instance, but not limited to, proof-of-concept exploit code, network traces, numbered list of steps to execute, or a video demonstration if the steps may be hard to follow.
Description of the behavior observed as well as the behavior that was expected, if applicable.
The specific affected service, application, or infrastructure component, including version information, if available.
Status of vulnerability (was it already publicly disclosed?)

After submission, you will receive an automatic acknowledgement from us. We will contact you if we require any additional information.

If you wish to use our GPG/PGP key to write to us securely, you can either retrieve the file from this link or copy the following:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQINBGM9Y3wBEADHFEjjRPFrh1W3yOnfZewMXpWDLyhJNBAYVUDVNoZOxfsCMNwF
h9MT3JiEHdne+vz0+QgIWL6cJYvDKPGbv4ZtCmDYzIZvu1mUN5ebW/QQP/G5t4H7
JLxgS3RCv/CtayTWRDLCUPEuDv9mmv4eD5wi1wF9ryEATjmZ1ZmqRhBhvP1NlXZW
wDvKs4Auf98qO7YPJ+NP4a5kImLLwEfh9AoOLJHQ7h4BI+vjzsAivfA7UPF31PvF
qqUIebYdqczATSKfIMIorx8NHcU2jeqVNQqp23x61RSmpLV+4Dxxg4Lx9eI+k35r
h7k8vyzX5fSU0Z6MyC5DkIijLD7nzz17eIO6Uq1kPwbKudMOYRfY98a7r6bw5mhR
+FeADsNrsYcvdYW20s1AZ2yCYE8uV3FHIMonNs4vde3P6DRpDd7CALF0fAZZ9ygB
ttTgmC5+aNytPNk5a76KX2jfyxtKR6MliYzlAiTMP7Cp1vrQTjSygq7ddXhPcxNP
PbOGcdOWTTIZdVysE7F1uqCoME4pK+qwF1NXt0FCz8ed8GHAymNb/sdTGxzz8kXz
HxY6361jxiiXvSW/7sLE18oCfQn0Nd4FwikoeW373cW/yqrI5uAsIc3DQ2h7mSBq
5Q1zsW3NYrALiuv1Fb0oqWGvEzWvuBBhuCXbErFRnsTFE3uNjPzlb//7EQARAQAB
tHxzZWN1cml0eS12dWxuZXJhYmlsaXR5QGVxcy5jb20gUlNBKFJlcG9ydGluZyBv
ZiBTZWN1cml0eSBWdWxuZXJhYmlsaXRpZXMgdG8gRVFTIEdyb3VwIC0gUlNBKTxz
ZWN1cml0eS12dWxuZXJhYmlsaXR5QGVxcy5jb20+iQJUBBMBCAA+FiEEKIaE9NYQ
AHL7NvSiJ/WcX/JWtyAFAmM9Y3wCGy8FCQPDuDUFCwkIBwIGFQoJCAsCBBYCAwEC
HgECF4AACgkQJ/WcX/JWtyBqJhAAqhIZc0Xgo7qOKAquAYZM8pn/WTWcqFkC0tde
7iaSXaGQs6kLLccWY9e6iPvgtkjeIP9+bu4FsM9LuNCtn/MoJrdjyCo8BFEBNuC2
Nq2f4bdEcXxaQmNbSwn2pkjlv02I8CaNA+ruLln293A5doGyFdhq6Ep8YVzneQqm
oL0APptcStAUYcTaaf5thoyCHyXNBrhbiWzLNfEZop7sXC1knAaAQM9AMTOCjvQe
TWiT/6lYDNUVbyuRymLE0zt/Jtd/wEIqaTln8hRtBy1jnqz4FaJRbISx2bT/62vD
/IZYqHEpI4Mkn649+3cIR7yqm0aXjDT8+vT/uqIaVtBl1H6zC4xZp0b5NZJHFoHp
dtYOKZdgvPhvcdDJ1IpHp21aZn5ck5HSJWQs5JwZaIhCNVVIOb5v9czJSQGNG2/Y
fZLL9F6xIy3yV82e00e9s2R2V3eQ5fIyY7/tOsgItcEG+Mwq5mhPE11bn0d2iu2B
t8WifuBy5wokERD9YcwbW3pD9J4UyGsYzr5jaXybDlNFTf4hYhnyOE9wiRy4ipPk
cQeTtQrdIW4lcJE31ohp5UUC/pRk+jtxE4j+PYzEvGW2tQOEIY1W8u9HYVx4jSJ3
AWaBwGCK0rLZMYpX7nbd2AT+5rMOhiH+catKbLgVUezFbQDtCXtPpeLq8xz8CCEn
w619OBM=
=xdA6
—–END PGP PUBLIC KEY BLOCK—–

How EQS Group handles reports

EQS Group respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to our scope and responsibility.

For the protection of our customers and the users of our solutions, EQS Group doesn’t disclose, discuss, or confirm security issues until our investigation is complete. This is in line with our Public Vulnerability Disclosure Policy that outlines the analysis handling and disclosure of vulnerability reports. Once the vulnerability is fixed, the information is published on our advisories page by giving credit to individuals or organizations that reported the security issue/s.

EQS Group provides due credit to the reporter. However, in the absence of a bounty program, we are unable to pay any monetary reward to the reporter.

Known advisories

 August, 2022

CVE/Link: CVE-2022-34007

Title of CVE

EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry.

Description

A version of the software that does not allow XSS attacks has been deployed in January 2022. The vulnerability has been discovered through one of our recurring internal penetration test.

However, for a mistake, the corrected software was not being deployed to some customer. This has been identified by the reported in July 2022. Since then, we have deployed the corrected software to all of our customers.

We have put measures in place to avoid further mistakes in the software distribution to be repeated.

What should customers do?

Customers need not take any action. Integrity Line Professional is already patched and secure.

Credit

Thanks to Giovanni Pellerano for responsibly disclosing the vulnerability.