• About Quanta
  Company Profile Executives Organization Structure Company Information News
  Awards & Accomplishments Key Milestone Global Major Operating Sites
• Investor Relations
  Financials Annual Reports Shareholders Services Shareholders' Meeting
• Corporate Governance
  Corporate governance organizational structure Board of Directors Functional Committee Internal Control System Risk Management

  Major Internal Policies Top Ten Shareholders
• ESG
  ESG Sustainability Policies Latest Sustainability Report Stakeholder Communication and Grievance Mechanisms
• Products
  Notebook Server Camera Smarter Healthcare Security Advisory
• Subsidiaries/Affiliates
  QSMC QCT Quanta Storage Inc. RoyalTek International Quanta Culture & Education Foundation Quanta Arts Foundation

Security Advisory

• We are committed to continuously improving the information security of our products and services. Reports of security vulnerabilities that may affect our products or solutions from external parties will help strengthen overall product security.

I. Vulnerability Reporting Process

Stage	Description
External Report	Upon receiving a vulnerability report regarding our products from an external party, we will review the report details (e.g., product information, vulnerability description, etc.) and provide an initial response.
Initial Assessment	Our analysts will conduct an initial risk assessment based on the report to determine whether the identified issue poses a potential security impact on the product.
Root Cause Analysis	In collaboration with internal R&D or relevant teams, we will further analyze the root cause to assess its actual impact on product and explore feasible solutions.
Solution Development & Verification	Once a solution is developed, the R&D team will verify its effectiveness to ensure it does not cause additional functional errors or system instability. If necessary, a hotfix or version update will be arranged and customers will be notified.
Security Advisory Publication	Upon completion of verification, the R&D team will issue an official security advisory, including a description of the solution and the affected versions.

II. Scope of Vulnerabilities

• We accept security vulnerability reports affecting Quanta Computer's own products and services, including but not limited to firmware, software, and hardware design flaws.
• The following are generally considered out of scope:
• Vulnerabilities in third-party components not developed or maintained by Quanta Computer.
• Social engineering attacks (e.g., phishing attacks).
• Physical attacks requiring direct access to the device.
• Denial-of-service (DoS) attacks that do not exploit a specific vulnerability.

III. Contact information

• Email：PSIRT@quantatw.com (PGP encryption recommended)
• PGP Public Key

IV. Suggested Information to Include

• Product and version where the issue was found
• Type of vulnerability and reproduction steps (including PoC or demonstration)
• Contact information (if you wish to receive a response)

V. Dispute Resolution and Appeal Policy

• If a reporter disagrees with our vulnerability assessment, severity rating, or CVE coordination decision, they may submit a request for re-evaluation via PSIRT@quantatw.com . We will follow up with further communication and clarification within 3 business days.
• If a consensus still cannot be reached, the reporter may file an appeal with the corresponding CVE Root in accordance with the CVE Program Rules. We will handle all subsequent procedures in compliance with the CVE Program Rules and its dispute resolution and escalation process.

VI. Vulnerability Announcements

Product	Vulnerability Remediation Status
QCT Product	Product official website link
QOCA Product	Product official website link
CAMP Product	Product official website link