Table of Contents

• How to respond to security reports
  • Introduction
  • Why quintessence contacted you
  • How to respond when contacted
    • Verify the authenticity of the contact
    • Consider the potential impacts
    • Our commitments during the resolution phase
    • Collaborate with quintessence
    • Responsible disclosure
      • Initial contact
      • Response
      • Fix
  • Conclusion

How to respond to security reports

Introduction

In a constantly evolving digital world, the security of information systems is more crucial than ever.

Quintessence is committed to enhancing the security posture of businesses and protecting user data. When we detect a vulnerability within a service, our goal is to inform you responsibly and effectively so that you can address it before it is exploited by malicious actors.

This blog post aims to guide you on the best way to respond if you are contacted by Quintessence to report a vulnerability.

Why quintessence contacted you

As a cybersecurity-specialized team, Quintessence dedicates its efforts to detecting and addressing vulnerabilities in our clients' information systems. We actively participate in the cyber community by contributing to open-source projects and reporting security flaws to various companies. Our interventions have led to the discovery of over 10 compromised secrets and the proactive reporting of several security incidents.

When we identify a vulnerability in your infrastructure or application, it means we have detected a potential flaw that could be exploited, thereby compromising user data security or the availability of your service.

How to respond when contacted

Verify the authenticity of the contact

The first step is to ensure that the contact is indeed from Quintessence. All our emails are signed with PGP. You can verify the signature of our emails with a single click using our signature verification tool. A hyperlink containing the message and its signature in cleartext format is included in the signature of each of our emails.

Consider the potential impacts

If your site has a valid security.txt file, we will use it to provide the following information:

1. CVSS score of the identified vulnerability
2. Steps to reproduce the vulnerability
3. A possible proof of concept to quickly test the vulnerability, in the form of source code or a video

These elements will help you understand the nature of the detected vulnerability and its potential impact on your organization, as well as assist in resolving the issue.

Warning: Do not underestimate security risks. Consider that it could always be more severe than you might think.

Our commitments during the resolution phase

During the resolution phase, we support you in addressing the vulnerability free of charge. We provide as much advice and resources as possible to help you fix the identified issue.

When a fix is deployed, we will ensure its effectiveness.

Collaborate with quintessence

Our team is available to assist you in resolving the vulnerability. We charge daily fees for any additional assistance you may need.

Here’s how we can help you:

1. Audits: Conducting thorough audits of your codebase to identify and assess complex vulnerabilities.
2. Consulting: Assisting in the implementation of tailored security strategies adapted to your industry.
3. Pentesting: Simulating real attacks to test the robustness of your infrastructures and reveal flaws to be corrected.
4. Monitoring: Continuously monitoring cybercriminal forums to quickly detect any malicious activity.

Responsible disclosure

If no action is taken and we determine that the issue we have reported is significant enough for user security, we will publicly disclose the details of the problem. We will also suggest possible fixes and provide advice for potentially affected users.

Here’s how we proceed:

Initial contact

We reach out to you to explain the problem and provide the necessary information to resolve it.

If we receive no response after 31 days and multiple follow-ups, we will publicly disclose the details. The link to the disclosure will be sent via the same communication channel used for the initial contact.

Response

If we receive a response, the 31-day period is reset until the next action is taken. If the issue persists beyond 31 days and we determine that the incident is being neglected, we will publicly disclose the details, and the link to the disclosure will be communicated via the same communication channel used in previous exchanges.

Fix

If a fix is applied, we will verify its effectiveness and communicate each test performed, as well as the expected and obtained results.

We will then ask for your permission to publish the events on our website, which will highlight the responsiveness of your teams in addressing the issue.

Conclusion

The security of information systems is a shared responsibility. By collaborating with Quintessence, you benefit from our expertise in identifying and correcting vulnerabilities, thereby strengthening the protection of your data and the trust of your users. Do not hesitate to contact us for any questions or additional assistance.

Contact us today to enhance the security of your systems and protect your data against potential threats.