Report a Security Vulnerability
A security vulnerability is a flaw or weakness in the design, implementation, operation or management of a product or service that could be exploited to violate the system's security policy. To protect businesses and organizations worldwide, it is critical that the broader community of IT and security professionals report potential vulnerabilities as soon as they are recognized. This allows industry experts to take appropriate action to resolve any vulnerability that is discovered.
Reporting a Quest Security Vulnerability
If you are aware of a potential security vulnerability with any Quest product or service, we encourage you to contact us immediately using the Vulnerability Submission Form. In connection with the completion and submission of the Vulnerability Submission Form, you may be asked to provide and we may collect certain personally identifiable information. Quest has a variety of security strategies intended to prevent unauthorized access to information we collect from third parties like you. We take very seriously our responsibility for complying with established policies, processes and controls relating to the protection of our customers’ data.
Once the information has been received, a member of the Product Security Incident Response Team (PSIRT) will contact you directly to discuss the report in more detail.
To receive acknowledgement, you must be the first reporter of a vulnerability and provide us a reasonable amount of time to remediate before publicly disclosing. When submitting a vulnerability, please provide concise steps to reproduce that are easily understood.
Terms and Conditions
How Quest Responds to a Vulnerability Submission
All reported vulnerabilities are investigated by the Quest PSIRT team. In most cases, a response for reported vulnerabilities should be expected within 24 to 48 business hours. Throughout the investigation process, Quest makes every effort to work collaboratively with the incident reporter to investigate the vulnerability, gather required technical information, and to determine an appropriate action plan.
Upon investigation, if the reported issue is determined by Quest to not be a vulnerability the Service Request will be closed and it is expected that the reporter will not report the issue publicly as a vulnerability without informing Quest first.
Notifying a vendor prior to releasing information publicly about a vulnerability is standard practice in the security industry and is known as “responsible disclosure.” This advance notice allows vendors to research and fix vulnerabilities before computer criminals are notified of their existence – keeping the Internet safer for business. We appreciate your assistance in ensuring that Quest products and services are secure.
To review Quest's Vulnerabilty Reporting Acknowledgements click here.