This page is not for you if…
- You are a customer of EQS Group’s products or applications and require technical support. Please contact your Customer Success’ representative rather than using this process.
- You are a supplier or contractor of EQS Group who need technical support. Please contact your EQS Group business point
How to report a security or privacy vulnerability
Before going through the official process to submit a vulnerability issue, we urge you to look into the list of known advisories and familiarize yourselves with our Public Vulnerability Disclosure Policy.
To report a security or privacy vulnerability affecting EQS Group’s products, solutions, or IT infrastructure component, please send an email in English to email@example.com with the following information:
- Details of vulnerability, including a means to reproduce it – for instance, but not limited to, proof-of-concept exploit code, network traces, numbered list of steps to execute, or a video demonstration if the steps may be hard to follow.
- Description of the behavior observed as well as the behavior that was expected, if applicable.
- The specific affected service, application, or infrastructure component, including version information, if available.
- Status of vulnerability (was it already publicly disclosed?)
After submission, you will receive an automatic acknowledgement from us. We will contact you if we require any additional information.
If you wish to use our GPG/PGP key to write to us securely, you can either retrieve the file from this link or copy the following:
—–BEGIN PGP PUBLIC KEY BLOCK—–
—–END PGP PUBLIC KEY BLOCK—–
How EQS Group handles reports
EQS Group respects the interests of the reporting party (also anonymous reports if requested) and agrees to handle any vulnerability that is reasonably believed to be related to our scope and responsibility.
For the protection of our customers and the users of our solutions, EQS Group doesn’t disclose, discuss, or confirm security issues until our investigation is complete. This is in line with our Public Vulnerability Disclosure Policy that outlines the analysis handling and disclosure of vulnerability reports. Once the vulnerability is fixed, the information is published on our advisories page by giving credit to individuals or organizations that reported the security issue/s.
EQS Group provides due credit to the reporter. However, in the absence of a bounty program, we are unable to pay any monetary reward to the reporter.
Title of CVE
EQS Integrity Line Professional through 2022-07-01 allows a stored XSS via a crafted whistleblower entry.
A version of the software that does not allow XSS attacks has been deployed in January 2022. The vulnerability has been discovered through one of our recurring internal penetration test.
However, for a mistake, the corrected software was not being deployed to some customer. This has been identified by the reported in July 2022. Since then, we have deployed the corrected software to all of our customers.
We have put measures in place to avoid further mistakes in the software distribution to be repeated.
What should customers do?
Customers need not take any action. Integrity Line Professional is already patched and secure.
Thanks to Giovanni Pellerano for responsibly disclosing the vulnerability.