Vul­nerabi­li­ty Dis­clo­sure Policy

1. Introduction

IT security is central to the strategic direction of Quantum's IT. Quantum places great importance on ensuring the confidentiality, integrity and availability of sensitive information at all times. Our IT security is in a continuous improvement process in view of the dynamic threat situation. Nevertheless, vulnerabilities may occur or be present.

We hereby encourage independent security researchers to disclose vulnerabilities to Quantum in accordance with this policy.

We will treat your report confidentially and keep you informed about the processing status. We undertake to cooperate with you in the event of a vulnerability report and to close reported valid vulnerabilities as quickly as possible.

1.1 Scope

The scope of this policy covers the entire Quantum Group.

2. Guidelines

  • Please inform us immediately if you discover possible vulnerabilities.
  • Please do not use non-qualified test methods.
  • Please allow us a reasonable amount of time to fix the vulnerability before disclosing it publicly or otherwise.


The following test methods do not qualify for vulnerability reporting:

  • Denial of Service (DoS, DDoS) or other tests that affect access to systems or data or damage Quantum's systems or data
  • Physical tests (e.g. access to offices), social engineering or other non-technical methods

3. Reporting a vulnerability

Please report vulnerabilities by email to vdp@quantum.ag. Reports from automated tools or scans without further explanation do not qualify as vulnerability reports.

The following information should be included:

  • Name of the vulnerability
  • Which system/service/application is affected?
  • Exploitation technique
  • Technical details and description of the vulnerability
  • Recommendation for closing the vulnerability