Disclosure policy for IT vulnerabilities
QMETHODS welcomes all reports of potential vulnerabilities related to our Versio.io platform, services, or assets that you submit in good faith and in accordance with this policy.
Attention
If you are a customer, supplier or contractor of QMETHODS products or services, you should contact your representative directly rather than using this process.
Safety first!
QMETHODS is deeply committed to safety and security and therefore urges you not to do anything that could harm you or others.
How do I report a vulnerability?
Send your report in English via encrypted email to: cve-coordination@versio.io as soon as possible after discovering the potential vulnerability, along with the following information:
- Description of the vulnerability
- Details on how to reproduce it
- Timeline of discovery
- Related product, service or asset
- Your contact details
We will acknowledge receipt of your report promptly, usually within 72 hours. If you do not receive confirmation of receipt from QMETHODS within this period, please resend your report to ensure we have received it.
What about trust?
We may need time to assess and fix a vulnerability. We rely on you to give us a reasonable period of time before sharing or publishing potential vulnerabilities with the public or third parties. Please remember that any public disclosure or sharing of information about an unresolved vulnerability can cause harm and expose your liability.
We respect the interests of the reporting party, and anonymous reports are welcome.
Note
QMETHODS does not operate a bug bounty programme. However, we do recognise reporting parties who have reported a recognised security vulnerability to us.
Be ethical and compliant!
The purpose of these guidelines is to facilitate the disclosure of potential vulnerabilities in an ethical manner and in accordance with the law. They should not be interpreted as permission to violate laws or reverse engineer code or other technologies.
The disclosure of any vulnerability must comply with the following principles:
- Do not cause harm to QMETHODS, our customers, suppliers, partners, or other individuals or companies.
- Do not act in a manner that compromises the security of our products, their operation, and/or related services.
- Do not violate any applicable intellectual property rights or trade secrets, laws, or regulations.
- Do not block, disclose, destroy or compromise the integrity of data belonging to QMETHODS and its customers and partners.
- Do not make a financial transaction a precondition for disclosing a potential vulnerability.
- Do not violate applicable data protection laws and regulations.