QCT cares about our customers’ rights and interests and is dedicated to ensuring their data security. Our security team was established to handle vulnerabilities of our products and to follow ISO/IEC 29147 and ISO/IEC 30111 standards.
Listed below are QCT’s vulnerability handling policy and vulnerability reporting principles.
B-1. Vulnerability Monitoring
We receive suspected vulnerabilities through public vulnerability databases, researchers’ feedback, customers’ reports etc. Independent Hardware Vendors (IHVs) and Independent BMC/BIOS Vendors (IBVs) provide early notifications of Common Vulnerabilities and Exposures (CVEs) under NDA to QCT, allowing for sufficient time for QCT to deploy recommended mitigations prior to a vulnerability’s announcement.
B-2. Triage and Integration
The Common Vulnerability Scoring System Version 3.1 (CVSS 3.1) is implemented to evaluate the severity of suspected vulnerabilities. QCT also triages and integrates the corresponding solutions to ensure timely and well-coordinated disclosures for QCT customers.
B-3. Remediation
QCT arranges or provides corresponding solutions based on the Security Advisory (SA) obtained from the vendors or third-party databases prior to the official publication of the SA.
B-4. Disclosure
QCT customers will be informed on the disclosure date. QCT customers inquire and proceed with their updates according to their own plans. The disclosures will be announced in QCT Security Center .
Should you discover any security or privacy vulnerabilities affecting any QCT products, please contact us at QCTSecurity@qct.io. Due to the sensitivity of this type of issues, we suggest encrypting your email with Pretty Good Privacy key (PGP key) and enclosing the following information in the email.
We appreciate your contribution to our product’s security; however, any vulnerability should be handled responsibly. For that reason, we remind you that:
As per this policy, all information disclosed about new vulnerabilities is considered confidential and shall only be shared between QCT and the reporting party if the information is not already public knowledge until a remedy is available and disclosure activities are coordinated.