Coordinated Vulnerability Disclosure
Hacking computer systems is not permitted unless an owner expressly gives permission for this. Some organisations, like Qbit, have a so-called Coordinated Vulnerability Disclosure (CVD) or Responsible Disclosure (RD) policy. The organisation states in its CVD or RD policy which systems can be hacked, which research methods are allowed to find vulnerabilities and how to report a vulnerability. In the policy you can also read how much time the organisation will need to correct the reported problem.
See also the Coordinated Vulnerability Disclosure Guidelines of the NCSC.
Qbit provides a so-called triage service. This means that every report you receive via the CVD or RD policy is validated by our Security Centre. This means that we assess whether the reported vulnerability is reproducible, what the risk of the vulnerability is, whether the vulnerability has not been reported before and / or was already known. Depending on the risk, in consultation with you the reports will be processed by us within certain deadlines. You then decide whether and how you reward the researcher. We can also take care of the triage for your bug bounty platform.
With its extensive knowledge of a wide range of topics, our Security Centre is able to give you detailed feedback in every situation and can help you to solve vulnerabilities. The triage service is offered as a subscription. Part of this is Qbit HQ, including incident response.
The advantages of Triage:
- Fast and reliable handling of CVD reports.
- Detailed feedback and advice about solutions.
- Support in case of incidents.