Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group)

[Marco Ermini via Fulldisclosure <fulldisclosure () seclists org>]

Hello everyone,



Kindly let me introduce myself. This is the first – and potentially, last – message on this mailing list. I am Marco, 
the CISO of EQS Group. Kindly allow me to address some of the statements expressed publicly here.



About the Convercent application



Convercent was acquired by OneTrust in 2021, and in turn, EQS has acquired it from OneTrust at the end of 2024. Before 
being acquired by EQS, the Convercent application has not received much love in the latest years, and EQS has since 
then proceeded to migrate its customers to the EQS Compliance COCKPIT, which is a modern, supported, and secure SaaS. 
The Convercent application is sunset and will be finally switched off by mid of 2026.



Currently, Convercent is supported by EQS on a best-effort basis; despite that, EQS Group has committed to fix all 
critical vulnerabilities until the last customer is fully migrated. We want our customers to migrate to our best 
service because it is better – not rush them in our new product because what we inherited from an acquisition is 
insecure.





The vulnerabilities



The two issues disclosed are either minor in nature or do not constitute vulnerabilities. One was a lack of certain 
HTTP headers (some of the reported ones where wrong, but regardless, still hardly something CVE-worthy), and the second 
was about an “exposed” API; however, it is public by design as this is how the application works: it is a page where 
customers – who have explicitly agreed and signed off to be present – are added to a drop-down list, fed from this 
public API. The web page exposes the list of customers by design.



While we may reasonably question whether this page reflects current secure-by-design standards, this brings zero added 
risk to any of the EQS customers and Convercent users.



I strongly disagree with the ideas that those “vulnerabilities” could become CVEs – regardless of the status of the 
SaaS security and how CVEs are handled. Therefore, we proceeded to ask for their removal from the CVSS database, so not 
to alarm our customers with false positives. The responsible CNA agreed immediately to remove them (thank you very 
much, VulnCheck!).





Communication with our customers



EQS Group communicates with its customers through established and appropriate channels – notably, our Trust Center – 
and not via anonymous mailing lists. Customers have received and will continue to receive all the notifications they 
have contractually required to obtain, and where relevant, additional context beyond those obligations.



Customers have received a briefing about the activity happening on this mailing list via our Trust Center.





The status of SaaS Security



As EQS Group is a CNA candidate, we participate and closely follow discussions between MITRE, CISA, and the German BSI, 
about vulnerability reporting for SaaS. While we have not heard any news on this front since the last two years, EQS 
Group remains committed to aligning with applicable best practices as they evolve.


We believe that meaningful progress in SaaS security is best achieved through structured, collaborative forums with 
clear governance, rather than responding to ad-hoc reports of unvetted findings. EQS Group already participates to 
proper, professional working groups on SaaS security, for instance through the Cloud Security Alliance. If other 
working groups will emerge through any of the official organisms already mentioned, we will certainly participate.


In general, as a principle, CVEs have been created many years ago, at a time where “the Cloud” did not exist in its 
current form. They were conceived so that users who procured a software from a development company and installed it on 
their system, could be notified when the software they have installed, manifested a security issue. In that way, they 
could procure the patch and fix it before a misuse could happen.


Now, except for very particular and edge cases, this is largely inapplicable to SaaS, where there is very little users 
can do and solely rely on the Cloud Service Provider to fix any vulnerability. There is almost never any real ground 
for a SaaS provider to notify a customer – unless of course a breach has been detected, but in that case we are way 
beyond a CVE and we are on a different territory. For a SaaS, even knowing that the application had a bug, does not 
help the user in any way. This is why typically CVEs as a concept are not the proper tool to address SaaS 
vulnerabilities, and in general, rushing to disclose them only damages the users; a disclosure does not help them in 
any way.




Response to the “Responsible" Disclosure



About the “responsible" disclosure: EQS Group receives a significant volume of “vulnerability notifications” like that 
one. Almost all of them are low or irrelevant issues from anonymous users looking to make a buck; they are typically 
about a missing HTTP headers or lack of optional DNS records. Given the scale of our environment, it can happen that 
some record is not updated, but this has little relevance to the security of our platforms. We also cannot always reply 
to all those messages, and most of them seem AI or automatically generated.



The notification from “Yuffie Kisaragi” was sent to us on the 4th of December and went to Junk due to the low 
reputation of the email used. The author then rushed to obtain two CVE IDs less than two weeks later and subsequently 
lost no time posting them on this list.



EQS Group is certainly not perfect, but if these would have been real vulnerabilities, I argue that this would have not 
qualified as a “responsible” disclosure by any reasonable standard.



Further communications


EQS Group’s vulnerability handling policy is listed here<https://www.eqs.com/report-a-vulnerability/#handle> –  
https://www.eqs.com/report-a-vulnerability/ – and we strongly suggest anyone to read it before they issue a report.



In this regard, we would like to point out the followings:

  1.  For several reasons – legal, commercial, policy, and ethical – EQS Group is unable to respond to requests for 
payment of bounties outside of an official bug bounty program.
  2.  EQS Group does nor remunerate bugs that were already discovered internally and were already in resolution.
  3.  EQS Group strongly discourages non-approved, un-vetted testing on EQS Group’s infrastructure. They can and will 
be perceived as hostile activity. Testing is encouraged only within officially approved bug bounty programs, in respect 
to the established rules of engagement.
  4.  Kindly avoid pointless reports on MTA-STS records, DMARC, quantum ciphers, and other junk like that. It makes our 
life easier.



Thank you for your attention.

Best regards / mit freundlichen Grüßen / Cordiali saluti

Dr Marco Ermini (He/Him)
Chief Information Security Officer (CISO)

Marco.Ermini () eqs com<mailto:Marco.Ermini () eqs com;>

[LinkendIn]<https://www.linkedin.com/in/marcoermini/>
Vereinbaren Sie einen Termin mit mir<https://outlook.office365.com/owa/calendar/BookaMeetingwithMarco () eqs 
com/bookings/>
[EQS Group Logo]<https://www.eqs.com/?keyword=email-footer>

[EQS Compliance COCKPIT]<https://www.eqs.com/de/platform-compliance-ethics/?keyword=email-footer>
EQS Group GmbH | Karlstr. 47 | 80333 München | www.eqs.com<https://www.eqs.com/?keyword=email-footer> | 
www.integrityline.com<http://www.integrityline.com/?keyword=email-footer>
[linkedIn Logo]<https://www.linkedin.com/company/1273779>
[X Logo]<https://twitter.com/eqsgroup>
[Instagram Logo]<https://www.instagram.com/eqsgroup/>
[YouTube Logo]<https://www.youtube.com/user/EquityStory>
[RSS Logo]<https://www.eqs.com/compliance-knowledge/>
[Xing Logo]<https://www.xing.com/companies/eqsgroup>
Register Court: Munich | Register Number: HRB 297048
Managing Directors: Achim Weick (CEO), André Silverio Marques, Marcus Sultzer

The preceding email message contains information that is confidential and may constitute non-public information that is 
intended to be conveyed only to the designated recipient(s).
If you are not an intended recipient of this message, please notify the sender at +49 89 444430-000<tel:+4989444430000>.
Unauthorized use, dissemination, distribution, or reproduction of this message is strictly prohibited and may be 
unlawful.


From: Wade Sparks <wsparks () vulncheck com>
Date: Wednesday, 21. January 2026 at 17:29
To: Yuffie Kisaragi <yuffie.kisaragi () atomicmail io>
Cc: Security Vulnerability <security-vulnerability () eqs com>, fulldisclosure () seclists org <fulldisclosure () 
seclists org>
Subject: Re: Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing 
Platform (EQS Group)


EXTERNAL EMAIL WARNING: Please check the sender of the message

Hello Yuffie,

Upon further investigation, the VulnCheck CNA determined that these vulnerabilities were not suitable for CVE 
assignment. The vulnerabilities exist within a SaaS product and are mitigated at the CSP-level which in this case, 
would be the vendor, EQS Group. Rather than contribute unactionable CVE records, the VulnCheck CNA used its 
discretionary prowess to move forward with rejecting these records. This policy aligns with a 2022 blog from 
MITRE<https://www.cve.org/Media/News/item/blog/2022/09/13/Dispelling-the-Myth-CVE-ID>. It should be noted that the 
vendor informed us that they have published advisories for the respective vulnerabilities in their "Trust Center" 
customer portal.

These actions should not be a deterrent for you to pursue CVE assignment through MITRE or another research CNA.

Best regards,

[https://lh7-us.googleusercontent.com/-9dCGnQIZaW0ehyK1B0bqLmef7d7ZWuSmmmWUYJGhzNgtzRhqFPZrtO3AnQt8PETFHiv6_YST3DacZVgrxPdAYXErAMnJrF6Isn27caszruLjby7jLRuuU__5emkqFjU8hczQ307--yVVMpVSiK7Qg]<https://www.vulncheck.com/>

Wade Sparks III

VulnCheck
Senior Vulnerability Analyst


On Tue, Jan 20, 2026 at 12:13 PM Yuffie Kisaragi <yuffie.kisaragi () atomicmail io<mailto:yuffie.kisaragi () atomicmail 
io>> wrote:


Dear Art,


Thank you for sharing your detailed evaluation and for pointing out the relevant sections of the CNA Rules.


Your argument is well reasoned, particularly with respect to the current guidance on SaaS and exclusively hosted 
services.


I have forwarded your evaluation to the CNA for further consideration. It will also be important to understand the 
vendor’s perspective in light of the points you raised, especially regarding the applicability of the 
“exclusively-hosted-service” tag and the removal of prior restrictions.

We look forward to receive transparent feedback from the CNA and/or the vendor.

To date, the vendor has remained silent with regard to informing their users about the reported issues. As far as we 
can determine, no public advisory or user-facing communication has been issued via their vulnerability reporting 
channel (https://www.eqs.com/report-a-vulnerability/) or elsewhere.

Best regards,

Yuffie

On Tue, Jan 20, 2026 at 7:26 PM <zmanion () protonmail com<mailto:zmanion () protonmail com>> wrote:

Hi,

> the vulnerabilities are no longer considered eligible for CVE tracking, despite being real, independently discovered, 
> responsibly disclosed, and acknowledged by the vendor.
CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction 
that only the provider could make or request such an assignment. But the current CVE rules remove this restriction:

4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine 
learning) as the sole basis for determining assignment.

It would have been acceptable (even preferred) to leave CVE-2025-34411 and CVE-2025-34412 published and identify them 
as affecting an "exclusively-hosted-service:"

5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all known Products listed in the CVE Record 
exist only as fully hosted services. If the Vulnerability affects both hosted services and on-premises Products, then 
this tag MUST NOT be used.

Rules: https://www.cve.org/resourcessupport/allresources/cnarules

Regards,

- Art

Attachment: img-93655eb7-1e08-4082-9b0d-324119c72986
Description: img-93655eb7-1e08-4082-9b0d-324119c72986

Attachment: img-4242deaf-2ed2-4aca-8835-e8b8532f31a5
Description: img-4242deaf-2ed2-4aca-8835-e8b8532f31a5

Attachment: img-7020e662-1f4b-4309-a368-99bb36354085
Description: img-7020e662-1f4b-4309-a368-99bb36354085

Attachment: img-031b306a-7302-4ff5-9723-9b4db75aa12f
Description: img-031b306a-7302-4ff5-9723-9b4db75aa12f

Attachment: img-89e758d7-c36a-4e5e-83da-e654f4e0a97f
Description: img-89e758d7-c36a-4e5e-83da-e654f4e0a97f

Attachment: img-d6b10b63-6adb-47c7-b8fc-447c7638b817
Description: img-d6b10b63-6adb-47c7-b8fc-447c7638b817

Attachment: img-277b6186-7ff7-4c5e-b551-946b20b9446c
Description: img-277b6186-7ff7-4c5e-b551-946b20b9446c

Attachment: img-98846ffd-e46a-4a5d-887f-4873b8e78847
Description: img-98846ffd-e46a-4a5d-887f-4873b8e78847

Attachment: img-0ed21722-c023-4c93-8006-7a17106991d4
Description: img-0ed21722-c023-4c93-8006-7a17106991d4

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/