Security

Vulnerability disclosure program

Qwikcilver recognizes how important the security community is in keeping our products and our customers safe. We thank you in advance for your contributions to our vulnerability disclosure program.
The Qwikcilver Vulnerability Management Team is a global team that manages the receipt, investigation and internal coordination of security vulnerability information related to Qwikcilver offerings. This team will coordinate with Qwikcilver product and solutions teams to investigate, and if needed, identify the appropriate response plan. Maintaining communication between all involved parties, both internal and external, is a key component of our vulnerability response process.
Qwikcilver will aim to respond to new reports within 5 business days. Please note, report status marked as triaged is subject to change pending team's final analysis.
When submitting reports of vulnerability findings, please ensure the following procedures are followed, for safe and efficient support.
Reporting Procedure:
  1. Please submit your findings to us in the form below.
  2. Please provide us with your reference/advisory number and sufficient contact information, such as your organization and contact name so that we can get in touch with you.
  3. Please provide a technical description of the concern or vulnerability.
    1. Please provide information on which specific product you tested, including product name and version number; including operating system and version; and any relevant additional information.
    2. For web based services, please provide the date and time of testing, URLs, the browser type and version, as well as the input provided to the application.
  4. To help us to verify the issue, please provide any additional information, including details on the tools used to conduct the testing and any relevant test configurations. If you wrote specific proof-of-concept or exploit code, please provide a copy. Please ensure all submitted code is clearly marked as such and is encrypted with our PGP key.
  5. If you have identified specific threats related to the vulnerability, assessed the risk, or have seen the vulnerability being exploited, please provide that information also PGP-encrypted.
  6. If you communicate vulnerability information to vulnerability coordinators such as ICS-CERT, CERT/CC, NCSC or other parties, please advise us and provide their tracking number, if one has been made available.
  7. When possible provide the report in English to expedite the process.
Product Security Vulnerability Report Assessment and Action:
  1. Qwikcilver will acknowledge receiving your report within Five business days.
  2. Qwikcilver will assign a contact person to each case.
  3. Qwikcilver’ central security incident response team will notify the appropriate product teams.
  4. Qwikcilver will keep you informed on the status of your report.
  5. If the vulnerability is actually in a 3rd party component which is part of our product/service, we will refer the report to that 3rd party and advise you of that notification. To that end, please inform us whether it is permissible in such cases to provide your contact information to the 3rd party.
  6. Upon receiving a vulnerability report, Qwikcilver will:
    1. Verify the reported vulnerability.
    2. Work on a resolution.
    3. Perform QA/validation testing on the resolution.
    4. Release the resolution.
    5. Share lessons learned with development teams.
  7. Qwikcilver will use existing customer notification processes to manage the release of patches or security fixes, which may include direct customer notification or public release of an advisory notification on our website.
Important:
  1. Refrain from including sensitive information in any screen shots or other attachments you provide to us.
  2. Do not take advantage of the vulnerability or problem you have discovered; for example, by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying any data.
  3. After vulnerability testing, each device/URL will be retested to ensure no damage/impact has been inflicted.
  4. The discloser’s actions must not be disproportionate, such as:
    1. Using social engineering to gain access to the system.
    2. Building his or her own backdoor in an information system with the intention of then using it to demonstrate the vulnerability, as doing so can cause additional damage and create unnecessary security risks.
    3. Utilizing a vulnerability further than necessary to establish its existence.
    4. Copying, modifying or deleting data on the system. An alternative for doing so is making a directory listing of the system.
    5. Making changes to the system.
    6. Repeatedly gaining access to the system or sharing access with others.
    7. Using brute force attacks to gain access to the system. This is not a vulnerability in the strict sense, but rather repeatedly trying out passwords.
  5. To protect our customers, Qwikcilver does not publicly disclose or confirm security vulnerabilities until Qwikcilver has conducted an analysis of the product and issued fixes and/or mitigations. By submitting a vulnerability report to Qwikcilver, you agree to not publicly disclose or share the vulnerability with any third party until Qwikcilver confirms that the vulnerability has been remediated or you have received written permission from Qwikcilver to publish information about the vulnerability.
Notice:
In case you decide to share any information with Qwikcilver, you agree that the information you submit will be considered as non-proprietary and non-confidential and that Qwikcilver is allowed to use such information in any manner, in whole or in part, without any restriction. Furthermore, you agree that submitting information does not create any rights for you or any obligation for Qwikcilver.

Product Security Form