Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

[Wade Sparks <wsparks () vulncheck com>]

Hello Yuffie,

Upon further investigation, the VulnCheck CNA determined that these
vulnerabilities were not suitable for CVE assignment. The
vulnerabilities exist within a SaaS product and are mitigated at the
CSP-level which in this case, would be the vendor, EQS Group. Rather than
contribute unactionable CVE records, the VulnCheck CNA used its
discretionary prowess to move forward with rejecting these records. This
policy aligns with a 2022 blog from MITRE
<https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID>.
It
should be noted that the vendor informed us that they have published
advisories for the respective vulnerabilities in their "Trust Center"
customer portal.

These actions should not be a deterrent for you to pursue CVE assignment
through MITRE or another research CNA.

Best regards,

<https://www.vulncheck.com/>

Wade Sparks III
VulnCheck
Senior Vulnerability Analyst


On Tue, Jan 20, 2026 at 12:13 PM Yuffie Kisaragi <
yuffie.kisaragi () atomicmail io> wrote:

> Dear Art,
>
> Thank you for sharing your detailed evaluation and for pointing out the
> relevant sections of the CNA Rules.
>
> Your argument is well reasoned, particularly with respect to the current
> guidance on SaaS and exclusively hosted services.
>
> I have forwarded your evaluation to the CNA for further consideration. It
> will also be important to understand the vendor’s perspective in light of
> the points you raised, especially regarding the applicability of the
> “exclusively-hosted-service” tag and the removal of prior restrictions.
>
> We look forward to receive transparent feedback from the CNA and/or the
> vendor.
>
> To date, the vendor has remained silent with regard to informing their
> users about the reported issues. As far as we can determine, no public
> advisory or user-facing communication has been issued via their
> vulnerability reporting channel (
> https://www.eqs.com/report-a-vulnerability/) or elsewhere.
>
> Best regards,
>
> Yuffie
>
> On Tue, Jan 20, 2026 at 7:26 PM <zmanion () protonmail com> wrote:
>
> > Hi,
> >
> > > the vulnerabilities are no longer considered eligible for CVE tracking,
> > despite being real, independently discovered, responsibly disclosed, and
> > acknowledged by the vendor.
> > CVE IDs *can* be assigned for SaaS or similarly "cloud only" software.
> > For a period of time, there was a restriction that only the provider could
> > make or request such an assignment. But the current CVE rules remove this
> > restriction:
> >
> > 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud,
> > on-premises, artificial intelligence, machine learning) as the sole basis
> > for determining assignment.
> >
> > It would have been acceptable (even preferred) to leave CVE-2025-34411
> > and CVE-2025-34412 published and identify them as affecting an
> > "exclusively-hosted-service:"
> >
> > 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag
> > when all known Products listed in the CVE Record exist only as fully hosted
> > services. If the Vulnerability affects both hosted services and on-premises
> > Products, then this tag MUST NOT be used.
> >
> > Rules: https://www.cve.org/resourcessupport/allresources/cnarules
> >
> > Regards,
> >
> > - Art
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/