Vulnerability Disclosure Policy-QSTECH

QSTECH global website accessible via the link https://www.qs-tech.com/ and its related services (hereinafter referred to as “Product”, “Service”) are provided by QSTECH Co., Ltd.(hereinafter referred to as “we”, “us”, or “our”). 

This policy is established to enhance the information security level of our products, services, and systems by leveraging the expertise of security researchers, industry organizations, and partners. It aims to create a standardized and efficient mechanism for receiving, assessing, remediating, and disclosing vulnerabilities, thereby safeguarding user data security and ensuring business continuity. This policy adheres to international industry standards such as ISO/IEC 30111 and ISO/IEC 29147, balancing security and transparency in vulnerability governance.

This policy applies to all individuals (including security researchers) and organizations (including industry institutions and partners) who proactively disclose potential security vulnerabilities, privacy compliance risks, or security intelligence to us. The scope covers:

1.  Products (including hardware devices, firmware), applications (including mobile apps, PC software, fast applications), and service systems independently developed by us.

2.  Core business systems operated by us, production/office networks, and user data storage and processing systems.

3.  Third-party applications listed and distributed by us or through cooperative distribution.

Products and services that have ceased official security maintenance, as well as independent third-party products not operated by us, are excluded from the coverage of this policy.

This policy will help you understand the following:

I. Vulnerability Definitions and Reporting Specifications

II. Vulnerability Handling Process

III. Vulnerability Severity Classification Mechanism

IV. Responsibilities and Confidentiality

V. Supplementary Provisions

I. Vulnerability Definitions and Reporting Specifications

(a) Definitions of Vulnerabilities and Intelligence

1.  Security Vulnerability: Refers to a security issue in a product, service, or system that can be exploited by an attacker to compromise integrity, availability, or confidentiality. This is distinct from quality defects that can be triggered without attacker intervention.

2.  Privacy Compliance Risk: Includes, but is not limited to, unauthorized collection/sharing of user information, excessive permission requests, obstacles to account deletion, deceptive acquisition of sensitive information, and other behaviors that violate laws, regulations, or compliance requirements.

3.  Security Intelligence: Includes verifiable security threat information such as core system intrusion clues, large-scale user information leakage clues, black-market tool and attack intelligence, and business logic vulnerability clues.

(b) Reporting Requirements

1.  Reporting Channel: Reports should be submitted preferentially via the designated email address: `pip@qs-tech.com`.

2.  Report Content: Must contain the following core information to ensure the vulnerability can be reproduced and verified:

    *   Reporter's name/organization and valid contact information.

    *   Affected product name, version, model, firmware version, and test environment details (including URL, device information, system configuration, etc.).

    *   Detailed description of the vulnerability/intelligence, step-by-step reproduction steps, and non-destructive proof materials (e.g., Proof of Concept (POC), packet captures, harmless test results).

    *   Whether the vulnerability has been publicly exploited, its potential impact scope, and any disclosure plans (if applicable).

3.  Prohibited Actions: Reporters must not use the vulnerability to conduct destructive testing, data theft, illegal profiteering, or other违规 operations. They must not disseminate information about unpatched vulnerabilities.

II. Vulnerability Handling Process

(a) Processing Timelines

Upon receiving a vulnerability report, we will proceed according to the following timelines, while safeguarding users' right to know and their rights:

1.  Within 1-3 business days: Confirm the vulnerability's validity and provide feedback to the reporter; initiate severity assessment.

2.  Within 2 hours of confirmation: Notify affected users via email, SMS, phone calls, etc., clarifying the impact scope and providing interim protection suggestions.

3.  Within 48 hours of confirmation: Communicate the official resolution plan to users and the reporter, including temporary mitigation measures and a remediation timeline.

4.  Within 30 days of confirmation: Complete vulnerability remediation (If remediation cannot be completed on schedule due to hardware limitations, environmental complexity, or other special circumstances, the reasons for the delay and a specific new timeline must be provided in the resolution plan).

5.  After remediation completion: Notify users again of the remediation results and patch installation guidance; simultaneously release an official security advisory.

(b) Handling Process

1.  Receipt and Assessment: The security team assesses the vulnerability's validity, effectiveness, and severity level, generating an assessment report.

2.  Remediation Coordination: Coordinate with technical teams to develop a remediation plan and track development, testing, and deployment progress.

3.  Result Feedback: Within 3 business days after remediation completion, inform the reporter of the remediation results and patch release information.

4.  Public Disclosure: After remediation is complete and the patch is deployed, disclose vulnerability details and remediation instructions via an official security advisory, publicly acknowledging the reporter.

Reporters must not publicly disclose vulnerability information within 30 days after remediation completion without our consent.

(c) Dispute Resolution

If reporters disagree with the vulnerability severity rating or handling timeline, they can provide feedback via the designated email. We will review the case within 5 business days, potentially involving external security experts for adjudication if necessary.

III. Vulnerability Severity Classification Mechanism

Classification Criteria: Vulnerabilities/intelligence are classified into four levels, with core criteria as follows:

*   Critical (Severe): Can directly lead to core system paralysis, large-scale user data leakage, highest privilege hijacking, or violations of laws/regulations with extremely severe impact.

*   High: Can cause business interruption, sensitive information leakage, privilege escalation, affecting core business and infringing user rights.

*   Medium: Can cause partial functional anomalies, non-core information leakage, affecting general business and bringing certain negative impact.

*   Low: Limited impact scope, low severity level, basically not affecting user use and business security.

IV. Responsibilities and Confidentiality 

(a) Reporter Responsibilities

Reporters shall comply with laws, regulations, and the requirements of this policy, conducting vulnerability testing only within authorized scopes. They must not use vulnerabilities to harm our legitimate rights and interests or those of users, nor disclose sensitive information obtained during testing. They shall bear corresponding legal liability for losses caused by operations.

(b) Our Responsibilities

We strictly maintain the confidentiality of the reporter's personal information and the content of the vulnerability report, using it solely for vulnerability assessment and remediation work. It will not be disclosed to third parties without the reporter's consent (unless required by laws and regulations). We will securely store the reported data, clearly define the data retention period, and inform the reporter.

V. Supplementary Provisions

1.  This policy takes effect from the date of release. In case of inconsistency with previous relevant regulations, this policy shall prevail.

2.  We reserve the right to amend this policy based on business development, technological iteration, and updates to laws and regulations. Amendments will be announced via official platforms after revision.

3.  Matters not covered herein shall be interpreted by our Cybersecurity Department.

Official Contact Email: pip@qs-tech.com