PSIRT Policy
At Quectel, we are steadfast in our commitment to safeguarding our products and services. Our Product Security Incident Response Team (PSIRT) is here to promptly address security vulnerabilities and enhance the resilience of our offerings.
End-to-End Vulnerability Handling Process
Vulnerability Reporting Channels
If you identify a potential security vulnerability that may affect Quectel products, please contact Quectel PSIRT through the channel below.
Email:
psirt@quectel.comPlease include at least the following information in your email:
- Affected product model(s) and software/firmware version(s);
- Vulnerability type and a clear description;
- Steps to reproduce and/or exploitation method;
- Suggested remediation or mitigation;
- Any additional relevant details (e.g., logs, PoC, environment).
Vulnerability Response & Disclosure Policy
Response Policy
Quectel PSIRT will provide an initial acknowledgement within one (1) business day after receiving your report, and will share a preliminary validation outcome within seven (7) business days.
Disclosure Policy
Quectel PSIRT evaluates factors such as a vulnerability’s impact and exploitability, and once an appropriate remediation plan is confirmed, publicly discloses the vulnerability details and corresponding remediation through the security advisories.
Referenced Standards
Throughout the vulnerability handling lifecycle, Quectel PSIRT follows widely adopted standards and industry best practices, including but not limited to:
- CVSS (Common Vulnerability Scoring System)
- FIRST (Forum of Incident Response and Security Teams)
- ISO/IEC 29147 (Vulnerability Disclosure)
- ISO/IEC 30111 (Vulnerability Handling Processes)
Security Statement
Important Notice
Quectel recognizes and supports good-faith security research and necessary technical validation performed in controlled environments. All related activities must comply with applicable laws and regulations and must not impact production environments or third-party rights. The following activities are not considered acceptable forms of security research:
- Conducting destructive testing, exploitation, or any other unauthorized activities in production environments involving IoT modules, associated devices, or platforms that may disrupt normal operations.
- Illegally obtaining, reproducing, or disseminating IoT module firmware or related sensitive information through unauthorized reverse engineering or other improper means, thereby infringing upon the intellectual property rights of Quectel.
- Illegally intercepting, monitoring, altering, or tampering with module communication data, or accessing, acquiring, or disclosing sensitive data of users or third parties, thereby compromising data security and privacy.
- Exploiting vulnerabilities in modules to attack associated devices, infiltrate networks, or otherwise compromise network security and public interests.
- Circumventing regulatory requirements or engaging in any other activities that violate applicable laws and regulations or infringe upon the legitimate rights and interests of our company or third parties.