Back

Security & Vulnerability Reporting

1. Reporting a Vulnerability

We welcome reports from security researchers, customers, and partners.

If you discover a potential security vulnerability, please report it to us via email: cyberexpert@qima.com

Please include:

  • Description of the vulnerability
  • Affected product(s), version(s), or asset(s)
  • Steps to reproduce (PoC if available)
  • Potential impact assessment
  • Suggested mitigation (if known)

This channel is intended only for security vulnerabilities.

2. Coordinated Vulnerability Disclosure (CVD)

We follow a Coordinated Vulnerability Disclosure model:

  • Vulnerabilities should be reported privately and responsibly
  • We will acknowledge receipt within 3 business days
  • We aim to provide a remediation timeline after triage
  • Public disclosure should occur only after a fix or mitigation is available

This ensures vulnerabilities are resolved before public exposure, reducing risk to users.

3. Vulnerability Handling Process

Our internal process includes:

Intake & Triage

  • Validate and classify the vulnerability
  • Assess severity (e.g., CVSS, exploitability, EPSS trends)

Impact Analysis

  • Identify affected assets (security, network, privacy, financial)
  • Determine exploitability in real-world conditions

Remediation

  • Develop and test fixes
  • Apply secure update mechanisms
  • Validate mitigation effectiveness

4. Regulatory Reporting Obligations (EU CRA)

Where applicable, CyberExpert complies with EU Cyber Resilience Act reporting requirements:

  • Early warning within 24 hours of awareness
  • Full notification within 72 hours
  • Final report within 14 days after remediation

These reports are submitted via the appropriate CSIRT channels.

5. Scope

This policy applies to:

  • All CyberExpert platform components
  • APIs, integrations, and supporting infrastructure

Out-of-scope:

  • Non-security bugs (use standard support channels)
  • Feature requests or usability issues

6. Safe Harbor

We support responsible security research. We will not pursue legal action against researchers who:

  • Act in good faith
  • Avoid privacy violations and service disruption
  • Follow this disclosure policy

7. Security Best Practices

CyberExpert enforces industry best practices including:

  • Secure-by-design development
  • Vulnerability scanning and penetration testing
  • Secure update and patch management mechanisms
  • Monitoring and incident response readiness

Contact

For any security-related inquiries: cyberexpert@qima.com

Back