A.  Introduction

QCT cares about our customers’ rights and interests and is dedicated to ensuring their data security. Our security team was established to handle vulnerabilities of our products and to follow ISO/IEC 29147 and ISO/IEC 30111 standards.

Listed below are QCT’s vulnerability handling policy and vulnerability reporting principles.

B. Policy

B-1. Vulnerability Monitoring

We receive suspected vulnerabilities through public vulnerability databases, researchers’ feedback, customers’ reports etc. Independent Hardware Vendors (IHVs) and Independent BMC/BIOS Vendors (IBVs) provide early notifications of Common Vulnerabilities and Exposures (CVEs) under NDA to QCT, allowing for sufficient time for QCT to deploy recommended mitigations prior to a vulnerability’s announcement.

B-2. Triage and Integration

The Common Vulnerability Scoring System Version 3.1 (CVSS 3.1) is implemented to evaluate the severity of suspected vulnerabilities. QCT also triages and integrates the corresponding solutions to ensure timely and well-coordinated disclosures for QCT customers.

B-3. Remediation

QCT arranges or provides corresponding solutions based on the Security Advisory (SA) obtained from the vendors or third-party databases prior to the official publication of the SA.

B-4. Disclosure

QCT customers will be informed on the disclosure date. QCT customers inquire and proceed with their updates according to their own plans. The disclosures will be announced in QCT Security Center .

C.  Reporting a Security Vulnerability to QCT

Should you discover any security or privacy vulnerabilities affecting any QCT products, please contact us at [email protected]. Due to the sensitivity of this type of issues, we suggest encrypting your email with Pretty Good Privacy key (PGP key) and enclosing the following information in the email.

• Your company name and contact information
• Affected QCT product name, revision history and descriptions
• Vulnerability information on the Common Vulnerabilities and Exposures (CVE) or Common Weakness Enumeration (CWE) lists
• Details of the vulnerability

We appreciate your contribution to our product’s security; however, any vulnerability should be handled responsibly. For that reason, we remind you that:

• Please do not try to access or modify the data without authorization.
• Please do not reveal, revise, destruct or abuse the data you discovered.
• Keep the information related to the vulnerability confidential and do not provide it to third parties.

As per this policy, all information disclosed about new vulnerabilities is considered confidential and shall only be shared between QCT and the reporting party if the information is not already public knowledge until a remedy is available and disclosure activities are coordinated.