Q2 Vulnerability Disclosure Standard

Introduction

Q2 Holdings, Inc. and its consolidated subsidiaries (collectively, “Q2”) welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This standard outlines steps for reporting vulnerabilities to us, what we expect and what you can expect from us.

 

Systems in Scope

This standard applies to any digital assets owned, operated, or maintained in Q2’s enterprise computing environment.

 

Out of Scope

Assets or other equipment not owned by parties participating in this standard, including but not limited to third-party applications, websites, or services that integrate with or link to or from Q2 systems.

Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate party or applicable authority.

 

Authorization

If you make a good faith effort to comply with this standard during your vulnerability research, we will consider your research to be authorized and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

 

Our Commitments

When working with us in accordance with this standard you can expect us to:

 

•  Respond to your report promptly, and work with you to understand and validate your report;

•  Strive to keep you informed about the progress of a vulnerability as it is processed, and

•  Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.

 

Our Expectations

In participating in our vulnerability disclosure program in good faith, we expect you to:

 

•  Play by the rules, including following this standard and any other relevant agreements. If there is any inconsistency between this standard and any other applicable terms, the terms of this standard will prevail;

•  Report any actual or potential vulnerability you’ve discovered promptly;

•  Make every effort to avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;

•  Use only the official channels to discuss vulnerability information with us;

•  Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue and to otherwise notify us before you disclose anything publicly;

•  Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;

•  If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as personally identifiable information (PII), personal healthcare information (PHI), credit card data, or proprietary information;

•  Purge any stored nonpublic data upon reporting a vulnerability:

•  Only interact with test accounts you own or with explicit permission from the account holder; and

•  In no case engage in:

•       Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data;

•       Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing, or

•       Extortion.

 

Official Channels

Please report security issues via email to: iSOC@q2.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. Additionally, if at any time you have concerns or are uncertain whether your vulnerability research is consistent with this standard, please submit a report through this channel before going any further.