Scope
EQS Group believes that vulnerability disclosure is a two-way street, where both service providers and security researchers must act responsibly. As a provider of leading digital solutions, we are committed to help ensure the confidentiality and security of our customers’ information and reporters’ identities.
We accept reports for currently listed EQS Group’s products, service, and involved IT infrastructure. Each vulnerability report is handled and reviewed by a team, consisting of our own employees or external parties, coordinated through Information Security team and its CISO.
The Public Vulnerability Disclosure Policy helps in risk reduction and improves security, confidentiality, and privacy for not only EQS Group and its customers, but for anyone directly or indirectly affected. We aim to resolve the issue within 90 days. However, when deemed reasonable, this deadline may be extended at the sole discretion of the company.
We promise to work in good faith with parties who:
- Act ethically, as described in the section “Acting Ethically”;
- Perform a Coordinated Disclosure, as described in the “Coordinated Disclosure Process”.
To avoid untoward situations arising out of badly disclosed vulnerabilities, we formulated a process for handling reported security vulnerabilities in our products and services’ portfolio and IT infrastructure.
Acting Ethically
EQS Group welcomes vulnerability reports from researchers, industry groups, CERTs, customers, partners, and any other sources. A non-disclosure-agreement is not required as a prerequisite for submitting reports.
EQS Group does not intend to engage in legal action against individuals who:
- Engage in testing of EQS Group’s products, service, and IT infrastructure, without causing harm, compromise safety or privacy, or otherwise affect EQS Group or its customers, suppliers, partners, reporters, or any other individual or company.
- Adhere to the applicable laws and regulations and refrain from committing criminal offences by performing a test; do not infringe any applicable copyright, intellectual property rights or trade secrets, and comply with all applicable software license requirements.
- Perform coordinated disclosure and respects the processes and conditions described in the section “Coordinated Disclosure”.
- Avoid impact to the safety, confidentiality of commercially sensitive information, or privacy of anyone, especially of EQS Group and its customers.
- Do not disclose, destroy or compromise the integrity of EQS Groups and our customers, partners, and any other individual or company data.
- Do not cause damage to the software, information, or IT infrastructure being tested. This means, no Denial of Service or any other massive attack, or any other action which could cause disruption to services or IT infrastructure.
- Restrict the scope of testing to bare minimum necessary to demonstrate the vulnerability.
- Keep confidential any technical details about the exploitation of the vulnerability, unless written permission from the EQS Group’s CISO or their deputy is granted to release
- Do not report the vulnerability to any other party, including CERTs. Communication with CERTs and other entities is handled directly by EQS Group’s Information Security team. EQS Group is liaising to become a registered CNA; therefore, if required, we will obtain the CVE number ourselves through MITRE.
- Do not require a financial transaction as a precondition to the disclosure of potential vulnerability.
Coordinated Disclosure Process
At EQS Group, the vulnerability handling process consists of four steps: Report, Analysis, Handling, Disclosure.
1. Report
To report a security or privacy vulnerability affecting EQS Group’s products, solutions, or IT infrastructure component, please send an email in English to security-vulnerability@eqs.com.
The report must include the following information:
- Details of vulnerability, including a means to reproduce it – for instance, but not limited to, proof-of-concept exploit code, network traces, numbered list of steps to execute, or a video demonstration if the steps may be hard to follow.
- Description of the behaviour observed as well as the behaviour that was expected, if applicable.
- The specific affected service, application, or infrastructure component, including version information, if available.
- Nature of vulnerability (was it already publicly disclosed?)
2. Analysis
We asses whether the vulnerability is within the scope for our products, services, or IT infrastructure. If this is the case, we will investigate and reproduce the vulnerability as required.
We aim to respond to incoming reports within three business days (reference time and calendar for Munich, Germany). If a deadline is due to expire on a weekend or falls on a Bavarian or German public holiday, the deadline will be moved to the next workday.
If appropriate, we will request additional information from the reporter.
3. Handling
We perform internal vulnerability handling together with the responsible product team. As required, external entities such as CERTs may be notified in advance of public disclosure.
During this time, we will maintain regular communication with the reporting party.
If applicable and available, and at the sole discretion of EQS Group, product teams may provide pre-releases of fixes to the reporting party for verification.
4. Disclosure
After the issue is successfully analysed and if a fix is necessary to solve the vulnerability, corresponding fixes will be developed and applied. EQS Group will use existing customer notification processes to manage the release of patches and new versions; this can include direct customer notification or public release of a security advisory.