Q2 Vulnerability Disclosure Program
Q2 is committed to security. This includes feedback from security researchers and the general public. Your feedback helps us. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues on our website or in a product, we want to hear from you. This program outlines steps for reporting vulnerabilities to us, what we expect and what you can expect from us. Thank you for partnering with us.
Systems in Scope
This program applies to any digital assets owned, operated, or maintained in Q2’s enterprise computing environment.
Out of Scope
Assets or other equipment not owned by parties participating in this program, including but not limited to third-party applications, websites, or services that integrate with or link to or from Q2 systems.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate party or applicable authority.
Authorization
If you make a good faith effort to comply with this program during your vulnerability research, we will consider your research to be authorized and we will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.
Our Commitments
When working with us in accordance with this program you can expect us to:
- Respond to your report promptly, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed, and
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
Our Expectations
In participating in our vulnerability disclosure program in good faith, we expect you to:
- Play by the rules, including following this program and any other relevant agreements. If there is any inconsistency between this program and any other applicable terms, the terms of this program will prevail;
- Report any actual or potential vulnerability you’ve discovered promptly;
- Make every effort to avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the official channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue and to otherwise notify us before you disclose anything publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required for effectively demonstrating a proof of concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as personally identifiable information (PII), personal healthcare information (PHI), credit card data, or proprietary information;
- Purge any stored nonpublic data upon reporting a vulnerability:
- Only interact with test accounts you own or with explicit permission from the account holder; and
- In no case engage in:
• Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data;
• Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing, or
• Extortion.
Official Channels
Please report security issues via the submission form below, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. Additionally, if at any time you have concerns or are uncertain whether your vulnerability research is consistent with this program, please submit a report through this channel before going any further.