EQS Group believes that vulnerability disclosure is a two-way street, where both service providers and security researchers must act responsibly. As a provider of leading digital solutions, we are committed to help ensure the confidentiality and security of our customers’ information and reporters’ identities.
We accept reports for currently listed EQS Group’s products, service, and involved IT infrastructure. Each vulnerability report is handled and reviewed by a team, consisting of our own employees or external parties, coordinated through Information Security team and its CISO.
The Public Vulnerability Disclosure Policy helps in risk reduction and improves security, confidentiality, and privacy for not only EQS Group and its customers, but for anyone directly or indirectly affected. We aim to resolve the issue within 90 days. However, when deemed reasonable, this deadline may be extended at the sole discretion of the company.
We promise to work in good faith with parties who:
- Act ethically, as described in the section “Acting Ethically”;
- Perform a Coordinated Disclosure, as described in the “Coordinated Disclosure Process”.
To avoid untoward situations arising out of badly disclosed vulnerabilities, we formulated a process for handling reported security vulnerabilities in our products and services’ portfolio and IT infrastructure.
EQS Group does not intend to engage in legal action against individuals who:
- Engage in testing of EQS Group’s products, service, and IT infrastructure, without causing harm, compromise safety or privacy, or otherwise affect EQS Group or its customers, suppliers, partners, reporters, or any other individual or company.
- Adhere to the applicable laws and regulations and refrain from committing criminal offences by performing a test; do not infringe any applicable copyright, intellectual property rights or trade secrets, and comply with all applicable software license requirements.
- Perform coordinated disclosure and respects the processes and conditions described in the section “Coordinated Disclosure”.
- Avoid impact to the safety, confidentiality of commercially sensitive information, or privacy of anyone, especially of EQS Group and its customers.
- Do not disclose, destroy or compromise the integrity of EQS Groups and our customers, partners, and any other individual or company data.
- Do not cause damage to the software, information, or IT infrastructure being tested. This means, no Denial of Service or any other massive attack, or any other action which could cause disruption to services or IT infrastructure.
- Restrict the scope of testing to bare minimum necessary to demonstrate the vulnerability.
- Keep confidential any technical details about the exploitation of the vulnerability, unless written permission from the EQS Group’s CISO or their deputy is granted to release
- Do not report the vulnerability to any other party, including CERTs. Communication with CERTs and other entities is handled directly by EQS Group’s Information Security team. EQS Group is liaising to become a registered CNA; therefore, if required, we will obtain the CVE number ourselves through MITRE.
- Do not require a financial transaction as a precondition to the disclosure of potential vulnerability.
Coordinated Disclosure Process
At EQS Group, the vulnerability handling process consists of four steps: Report, Analysis, Handling, Disclosure.
After the issue is successfully analysed and if a fix is necessary to solve the vulnerability, corresponding fixes will be developed and applied. EQS Group will use existing customer notification processes to manage the release of patches and new versions; this can include direct customer notification or public release of a security advisory.