Vulnerability disclosure policy

  • 1. Introduction
    • QOMPLX is committed to security. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery and disclosure activities, and conveys our preferences in how to submit discovered vulnerabilities to us.

      This policy describes which QOMPLX products and assets are covered under this policy, how to submit vulnerability reports to QOMPLX, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

      We encourage you to contact us at vulnerability@qomplx.com to report potential vulnerabilities in our systems.

  • Authorized Research
    • QOMPLX actively supports the work of independent security researchers. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve issues quickly, and QOMPLX will not recommend or pursue legal action related to your research. Should legal action be initiated by third parties against you for activities that were conducted in accordance with this policy, we will make our authorization of your work known to them.

  • Guidelines
    • Under this policy, “research” means activities in which you:

      • Notify us as soon as possible after you discover a real or potential security issue.

      • Make every effort to avoid violating privacy, degrading user experiences, disrupting production systems, or destroying or manipulating data.

      • Exploit systems only to the extent necessary to confirm a vulnerability’s presence. Do not use exploits for any unauthorized purpose such as to compromise or steal data, establish persistent access, or pivot to other systems.

      • Provide us a reasonable amount of time to resolve issues before you disclose them publicly. We will promptly acknowledge receipt of your disclosure and provide you with an estimated timeline for our initial review of your findings.

      • Send us relevant and detailed information about the nature and severity of the issue so that we can confirm it and ensure our own understanding. Spamming us with a large number of low-quality reports won’t help anyone.



      After you’ve established that a vulnerability exists, or if you inadvertently access any sensitive data—including personally identifiable information, financial information, or proprietary information or trade secrets of any party — you must stop your test, document your findings for our review, notify us immediately with sufficient detail for our own confirmatory investigation, and refrain from disclosing this data to anyone else.

  • Test Methods
    • The following test methods are not authorized:

      • Network denial of service (DoS or DDoS) tests

      • Other tests that impair access to or damage a system or data

      • Physical testing, such as office access, open doors, tailgating

      • Social engineering, such as phishing or “vishing”

      • Any other non-technical vulnerability testing

  • Scope
    • This policy applies to the following systems and services:

      • https://qomplx.com/*

      • https://*.qomplx.com

      • https://*.qomplxos.com

      Any service not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. In addition, vulnerabilities found in third-party vendors or service providers used by QOMPLX may fall outside of this policy’s scope, and should be reported to the vendors directly, according to their disclosure policies (if any). If you aren’t sure whether a system is in scope or not, contact us at vulnerability@qomplx.com before starting your research.

      Although we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first. We reasonably expect to continue to increase the scope of this policy over time.

  • Reporting Vulnerabilities
    • Vulnerabilities discovered by customers, partners or members of the public may be reported by sending an email to vulnerability@qomplx.com or using the form found at: https://www.qomplx.com/bug_submission_form . Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within 3 business days. If this issue is significant enough to merit encryption, we can support most modern secure messaging solutions; please contact vulnerability@qomplx.com and let us know your preference.

      Format of Report

      In order to help us triage and prioritize submissions, we recommend that your reports:

      • Describe the location where the vulnerability was discovered, and the potential impact of exploitation.

      • Offer a detailed description of the steps needed to reproduce the vulnerability. Proof of concept scripts or screenshots are helpful.

      • Be written in English, if possible.

  • What You Can Expect From Us
    • Should you choose to share your contact information with us, we commit to coordinating with you as openly and as quickly as possible. We will make a good-faith effort to address issues you have identified. When you report a vulnerability to QOMPLX, you can expect that:

      • Within 1 business day, we will acknowledge that your report has been received.

      • To the best of our ability, we will confirm select findings regarding our investigation of your reported vulnerability to you, and will be as transparent as possible about what steps we are taking to fix the issue including timelines for resolution and disclosure.

      • We will maintain an open dialogue to discuss issues, including any challenges that may delay resolution.

      • We provide critical services to leading organizations. If our customers need to take any actions related to issues you find, we will coordinate our efforts with them. We will keep you informed If coordination activities extend vulnerability disclosure timelines.

      • We will disclose confirmed and fixed vulnerabilities on our website, crediting you with the discovery, unless you would prefer to remain anonymous.

  • Vulnerabilities That Expose Personal Data
    • For vulnerabilities that expose personal data as defined under GDPR, CCPA and other privacy regulations, QOMPLX may be required to disclose these flaws to relevant authorities and regulators. In general, personal data is data that directly identifies a natural person, such as a first and last name, email address or phone number. Please refer to QOMPLX’s Privacy Policy for more information on the kinds of data QOMPLX collects and how it uses such data. Note that QOMPLX does not consider IP addresses to be personal data.

      Nothing in this Policy changes our obligations to comply with applicable laws, regulations and contractual obligations. Likewise, this Policy does not shield you from any legal, regulatory or contractual obligations you may already be subject to.