Search Icon
close

Qualfon Vulnerability Disclosure Policy

Last Updated: March 5, 2026

Purpose

Qualfon is committed to protecting our business, our employees, and our clients. This policy is intended to give clear guidelines for conducting vulnerability discovery activities and to provide a clear path for vendors, suppliers, partners, and other third parties to report suspected security vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Good-Faith Expectations

If you make a good faith effort to comply with this policy during your security research, Qualfon will consider your research to be authorized within the scope of this policy. We will work with you to understand and resolve the issue in a timely manner, and Qualfon will not recommend or pursue legal action related to such research. Should legal action be initiated by a third party against you for activities conducted in accordance with this policy, Qualfon will make this authorization known. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Under this policy, “research” means activities in which you:

  • Notify us as soon as possible after you discover a real or potential security issue.
  • Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
  • Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
  • Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
  • Do not submit a high volume of low-quality reports.

Scope

In scope

  • Vulnerabilities in Qualfon-owned or Qualfon-managed systems, applications, networks, endpoints, cloud environments, and services.
  • Vulnerabilities in vendor-provided products or services used by Qualfon (including hosted/SaaS solutions) that could impact Qualfon or Qualfon clients.
  • Findings that could affect confidentiality, integrity, or availability of Qualfon or client data processed by Qualfon.
  • If you aren’t sure whether a system is in scope or not, contact us at CyberSecurity@Qualfon.com before starting your research.

Out of scope (unless explicitly authorized in writing by Qualfon):

  • Testing or findings involving client-owned systems not managed by Qualfon, including services and systems not owned by Qualfon.
  • Denial-of-service (DoS/DDoS), load testing, spam, or other activity that degrades service availability.
  • Social engineering, phishing, vishing, physical security testing against Qualfon personnel or sites.
  • Any activity that involves accessing, modifying, copying, or exfiltrating data beyond the minimum needed to demonstrate the issue.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Roles and Responsibilities

N/A

Definitions

N/A

Policy

Reporting Channel

Send vulnerability reports to the Qualfon Cybersecurity team at: CyberSecurity@Qualfon.com If you need to provide sensitive technical details or files, request secure transfer options in your email and we will respond with approved methods.

Reporting Requirements

To help us triage quickly, include the following (as applicable):

  • Your name, company, role, and preferred contact information. (Optional. Anonymous submissions are welcome.)
  • A clear description of the issue and affected asset(s) (system/app/service name, URL, IP, environment).
  • Steps to reproduce, proof-of-concept details, screenshots/logs (sanitized), and expected vs. actual behavior.
  • Impact assessment (what could be accessed or changed, likelihood, and business/client impact).
  • Any known workarounds or recommended remediation.
  • Whether the issue involves vendor-provided technology (product/version/configuration).
  • Provide the report in English, if possible.
  • If exploit data, threat intelligence, or abuse in the wild becomes known after initial disclosure, update Qualfon immediately.

Please do not include sensitive personal data or client data in your report. If you inadvertently access sensitive data, stop immediately and report what occurred.

Non-Disclosure and Coordinated Disclosure

To protect Qualfon and our clients, Reporters must:

  • Treat all vulnerability details, evidence, and communications as confidential.
  • Not disclose the vulnerability publicly or to any third party (including social media, blogs, conferences, or other customers) without written authorization from Qualfon.
  • Coordinate any disclosure timing and content with Qualfon (and impacted clients where applicable).

Qualfon will:

  • Limit internal sharing of the report to personnel who need to know to investigate and remediate.
  • Handle information in accordance with applicable confidentiality obligations and contractual requirements.
  • Coordinate with impacted clients and relevant third parties when necessary.

Response and Reporting Timelines

Qualfon’s Cybersecurity team will follow these standard timelines (business days, unless otherwise stated):

  • Acknowledgment: within 3 business days of receipt.
  • Initial triage and severity assessment: within 5 business days of acknowledgment.
  • Status updates: at least every 14 calendar days until closure (or more frequently for Critical/High issues).
  • Remediation targets (typical):
    • Critical (CVSS 9.0 – 10.0): Mitigation plan within 7 days, target fix within 14 days.
    • High (CVSS 7.0 – 8.9): Target fix within 30 days.
    • Medium/Low (CVSS 6.9 or below): Target fix within 60-90 days, based on risk and operational constraints.

These timelines may vary depending on complexity, required vendor/client coordination, or evidence completeness. We will communicate any material changes and expected next steps.

Transparency Statement

Qualfon values transparency and responsible security collaboration. When appropriate, we may:

  • Share high-level status updates with the Reporter during investigation and remediation.
  • Notify affected clients, vendors, or regulators as required by contract or law.
  • Publish an advisory or release notes after remediation is deployed, potentially acknowledging the Reporter with their consent.

Qualfon will not request or expect Reporters to perform risky actions (e.g., data extraction) to validate a finding.

Contact Information

For all vulnerability disclosures, questions, or clarifications, Vendors should contact: Email: CyberSecurity@Qualfon.com

Procedures

N/A

Exceptions

N/A

Revision History

Revision Date Change Summary Changed By / Verified By Annual Verification Completion Date
02/26/2026 Initial Release Michael Priddy N/A

You are now leaving Qualfon.com and heading to our jobs site. Do you want to continue?

Go Back Continue

You are leaving Qualfon.com and being redirected to Qualfon’s Consumer Privacy Page where you can find a Right To Know Access Request Form.

Go Back Proceed

You are leaving Qualfon.com and being redirected to our confidential Speak Up platform

Go Back Proceed

You are now leaving Qualfon.com and heading to our jobs site. Do you want to continue?

Go Back Continue

You are now leaving Qualfon.com and heading to our jobs site. Do you want to continue?

Go Back Continue

You are now leaving Qualfon.com and heading to our jobs site. Do you want to continue?

Go Back Continue

You are now leaving Qualfon.com and heading to our jobs site. Do you want to continue?

Go Back Continue