Hello everyone,
Kindly let me introduce myself. This is the first – and potentially, last – message on this mailing list. I am Marco, the CISO of EQS Group. Kindly allow me to address some of the statements expressed publicly here. About the Convercent application Convercent was acquired by OneTrust in 2021, and in turn, EQS has acquired it from OneTrust at the end of 2024. Before being acquired by EQS, the Convercent application has not received much love in the latest years, and EQS has since then proceeded to migrate its customers to the EQS Compliance COCKPIT, which is a modern, supported, and secure SaaS. The Convercent application is sunset and will be finally switched off by mid of 2026. Currently, Convercent is supported by EQS on a best-effort basis; despite that, EQS Group has committed to fix all critical vulnerabilities until the last customer is fully migrated. We want our customers to migrate to our best service because it is better – not rush them in our new product because what we inherited from an acquisition is insecure. The vulnerabilities The two issues disclosed are either minor in nature or do not constitute vulnerabilities. One was a lack of certain HTTP headers (some of the reported ones where wrong, but regardless, still hardly something CVE-worthy), and the second was about an “exposed” API; however, it is public by design as this is how the application works: it is a page where customers – who have explicitly agreed and signed off to be present – are added to a drop-down list, fed from this public API. The web page exposes the list of customers by design. While we may reasonably question whether this page reflects current secure-by-design standards, this brings zero added risk to any of the EQS customers and Convercent users. I strongly disagree with the ideas that those “vulnerabilities” could become CVEs – regardless of the status of the SaaS security and how CVEs are handled. Therefore, we proceeded to ask for their removal from the CVSS database, so not to alarm our customers with false positives. The responsible CNA agreed immediately to remove them (thank you very much, VulnCheck!). Communication with our customers EQS Group communicates with its customers through established and appropriate channels – notably, our Trust Center – and not via anonymous mailing lists. Customers have received and will continue to receive all the notifications they have contractually required to obtain, and where relevant, additional context beyond those obligations. Customers have received a briefing about the activity happening on this mailing list via our Trust Center. The status of SaaS Security As EQS Group is a CNA candidate, we participate and closely follow discussions between MITRE, CISA, and the German BSI, about vulnerability reporting for SaaS. While we have not heard any news on this front since the last two years, EQS Group remains committed to aligning with applicable best practices as they evolve. We believe that meaningful progress in SaaS security is best achieved through structured, collaborative forums with clear governance, rather than responding to ad-hoc reports of unvetted findings. EQS Group already participates to proper, professional working groups on SaaS security, for instance through the Cloud Security Alliance. If other working groups will emerge through any of the official organisms already mentioned, we will certainly participate. In general, as a principle, CVEs have been created many years ago, at a time where “the Cloud” did not exist in its current form. They were conceived so that users who procured a software from a development company and installed it on their system, could be notified when the software they have installed, manifested a security issue. In that way, they could procure the patch and fix it before a misuse could happen. Now, except for very particular and edge cases, this is largely inapplicable to SaaS, where there is very little users can do and solely rely on the Cloud Service Provider to fix any vulnerability. There is almost never any real ground for a SaaS provider to notify a customer – unless of course a breach has been detected, but in that case we are way beyond a CVE and we are on a different territory. For a SaaS, even knowing that the application had a bug, does not help the user in any way. This is why typically CVEs as a concept are not the proper tool to address SaaS vulnerabilities, and in general, rushing to disclose them only damages the users; a disclosure does not help them in any way. Response to the “Responsible" Disclosure About the “responsible" disclosure: EQS Group receives a significant volume of “vulnerability notifications” like that one. Almost all of them are low or irrelevant issues from anonymous users looking to make a buck; they are typically about a missing HTTP headers or lack of optional DNS records. Given the scale of our environment, it can happen that some record is not updated, but this has little relevance to the security of our platforms. We also cannot always reply to all those messages, and most of them seem AI or automatically generated. The notification from “Yuffie Kisaragi” was sent to us on the 4th of December and went to Junk due to the low reputation of the email used. The author then rushed to obtain two CVE IDs less than two weeks later and subsequently lost no time posting them on this list. EQS Group is certainly not perfect, but if these would have been real vulnerabilities, I argue that this would have not qualified as a “responsible” disclosure by any reasonable standard. Further communications EQS Group’s vulnerability handling policy is listed here<https://www.eqs.com/report-a-vulnerability/#handle> – https://www.eqs.com/report-a-vulnerability/ – and we strongly suggest anyone to read it before they issue a report. In this regard, we would like to point out the followings: 1. For several reasons – legal, commercial, policy, and ethical – EQS Group is unable to respond to requests for payment of bounties outside of an official bug bounty program. 2. EQS Group does nor remunerate bugs that were already discovered internally and were already in resolution. 3. EQS Group strongly discourages non-approved, un-vetted testing on EQS Group’s infrastructure. They can and will be perceived as hostile activity. Testing is encouraged only within officially approved bug bounty programs, in respect to the established rules of engagement. 4. Kindly avoid pointless reports on MTA-STS records, DMARC, quantum ciphers, and other junk like that. It makes our life easier. Thank you for your attention. Best regards / mit freundlichen Grüßen / Cordiali saluti Dr Marco Ermini (He/Him) Chief Information Security Officer (CISO) [email protected]<mailto:[email protected];> [LinkendIn]<https://www.linkedin.com/in/marcoermini/> Vereinbaren Sie einen Termin mit mir<https://outlook.office365.com/owa/calendar/[email protected]/bookings/> [EQS Group Logo]<https://www.eqs.com/?keyword=email-footer> [EQS Compliance COCKPIT]<https://www.eqs.com/de/platform-compliance-ethics/?keyword=email-footer> EQS Group GmbH | Karlstr. 47 | 80333 München | www.eqs.com<https://www.eqs.com/?keyword=email-footer> | www.integrityline.com<http://www.integrityline.com/?keyword=email-footer> [linkedIn Logo]<https://www.linkedin.com/company/1273779> [X Logo]<https://twitter.com/eqsgroup> [Instagram Logo]<https://www.instagram.com/eqsgroup/> [YouTube Logo]<https://www.youtube.com/user/EquityStory> [RSS Logo]<https://www.eqs.com/compliance-knowledge/> [Xing Logo]<https://www.xing.com/companies/eqsgroup> Register Court: Munich | Register Number: HRB 297048 Managing Directors: Achim Weick (CEO), André Silverio Marques, Marcus Sultzer The preceding email message contains information that is confidential and may constitute non-public information that is intended to be conveyed only to the designated recipient(s). If you are not an intended recipient of this message, please notify the sender at +49 89 444430-000<tel:+4989444430000>. Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be unlawful. From: Wade Sparks <[email protected]> Date: Wednesday, 21. January 2026 at 17:29 To: Yuffie Kisaragi <[email protected]> Cc: Security Vulnerability <[email protected]>, [email protected] <[email protected]> Subject: Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) EXTERNAL EMAIL WARNING: Please check the sender of the message Hello Yuffie, Upon further investigation, the VulnCheck CNA determined that these vulnerabilities were not suitable for CVE assignment. The vulnerabilities exist within a SaaS product and are mitigated at the CSP-level which in this case, would be the vendor, EQS Group. Rather than contribute unactionable CVE records, the VulnCheck CNA used its discretionary prowess to move forward with rejecting these records. This policy aligns with a 2022 blog from MITRE<https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID>. It should be noted that the vendor informed us that they have published advisories for the respective vulnerabilities in their "Trust Center" customer portal. These actions should not be a deterrent for you to pursue CVE assignment through MITRE or another research CNA. Best regards, [https://lh7-us.googleusercontent.com/-9dCGnQIZaW0ehyK1B0bqLmef7d7ZWuSmmmWUYJGhzNgtzRhqFPZrtO3AnQt8PETFHiv6_YST3DacZVgrxPdAYXErAMnJrF6Isn27caszruLjby7jLRuuU__5emkqFjU8hczQ307--yVVMpVSiK7Qg]<https://www.vulncheck.com/> Wade Sparks III VulnCheck Senior Vulnerability Analyst On Tue, Jan 20, 2026 at 12:13 PM Yuffie Kisaragi <[email protected]<mailto:[email protected]>> wrote: Dear Art, Thank you for sharing your detailed evaluation and for pointing out the relevant sections of the CNA Rules. Your argument is well reasoned, particularly with respect to the current guidance on SaaS and exclusively hosted services. I have forwarded your evaluation to the CNA for further consideration. It will also be important to understand the vendor’s perspective in light of the points you raised, especially regarding the applicability of the “exclusively-hosted-service” tag and the removal of prior restrictions. We look forward to receive transparent feedback from the CNA and/or the vendor. To date, the vendor has remained silent with regard to informing their users about the reported issues. As far as we can determine, no public advisory or user-facing communication has been issued via their vulnerability reporting channel (https://www.eqs.com/report-a-vulnerability/) or elsewhere. Best regards, Yuffie On Tue, Jan 20, 2026 at 7:26 PM <[email protected]<mailto:[email protected]>> wrote: Hi, > the vulnerabilities are no longer considered eligible for CVE tracking, > despite being real, independently discovered, responsibly disclosed, and > acknowledged by the vendor. CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction that only the provider could make or request such an assignment. But the current CVE rules remove this restriction: 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment. It would have been acceptable (even preferred) to leave CVE-2025-34411 and CVE-2025-34412 published and identify them as affecting an "exclusively-hosted-service:" 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all known Products listed in the CVE Record exist only as fully hosted services. If the Vulnerability affects both hosted services and on-premises Products, then this tag MUST NOT be used. Rules: https://www.cve.org/resourcessupport/allresources/cnarules Regards, - Art
img-93655eb7-1e08-4082-9b0d-324119c72986
Description: img-93655eb7-1e08-4082-9b0d-324119c72986
img-4242deaf-2ed2-4aca-8835-e8b8532f31a5
Description: img-4242deaf-2ed2-4aca-8835-e8b8532f31a5
img-7020e662-1f4b-4309-a368-99bb36354085
Description: img-7020e662-1f4b-4309-a368-99bb36354085
img-031b306a-7302-4ff5-9723-9b4db75aa12f
Description: img-031b306a-7302-4ff5-9723-9b4db75aa12f
img-89e758d7-c36a-4e5e-83da-e654f4e0a97f
Description: img-89e758d7-c36a-4e5e-83da-e654f4e0a97f
img-d6b10b63-6adb-47c7-b8fc-447c7638b817
Description: img-d6b10b63-6adb-47c7-b8fc-447c7638b817
img-277b6186-7ff7-4c5e-b551-946b20b9446c
Description: img-277b6186-7ff7-4c5e-b551-946b20b9446c
img-98846ffd-e46a-4a5d-887f-4873b8e78847
Description: img-98846ffd-e46a-4a5d-887f-4873b8e78847
img-0ed21722-c023-4c93-8006-7a17106991d4
Description: img-0ed21722-c023-4c93-8006-7a17106991d4
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
