• About Quanta
  Company Profile Executives Organization Structure Company Information News
  Awards & Accomplishments Key Milestone Global Major Operating Sites
• Investor Relations
  Financials Annual Reports Shareholders Services Shareholders' Meeting
• Corporate Governance
  Corporate governance organizational structure Board of Directors Functional Committee Internal Control System Risk Management

  Major Internal Policies Top Ten Shareholders
• ESG
  ESG Sustainability Policies Latest Sustainability Report Stakeholder Communication and Grievance Mechanisms
• Products
  Notebook Server Camera Smarter Healthcare Security Advisory
• Subsidiaries/Affiliates
  QSMC QCT Quanta Storage Inc. RoyalTek International Quanta Culture & Education Foundation Quanta Arts Foundation

Security Advisory

• We are committed to continuously improving the information security of our products and services, and sincerely welcome you to report any security vulnerabilities that may affect our products or solutions.

I. Vulnerability Disclosure Process

Stage	Description
Initial Response	PSIRT will respond to and acknowledge vulnerability reports concerning the Company's products within 3 working days of receipt. This includes confirming the reported content, such as product information, vulnerability description, and reproduction steps, ensuring the reporter receives a quick and clear preliminary reply.
Assessment & Classification	Analysts will perform a preliminary risk assessment and technical classification of the vulnerability. This confirms whether the vulnerability is novel and determines the potential security impact. A CVE ID will be assigned upon confirming the validity and scope of the reported vulnerability. The assigned CVE ID will be communicated to the reporter and included in the public advisory upon disclosure.
Technical Investigation	PSIRT will collaborate with internal R&D or relevant teams to further analyze the Root Cause of the vulnerability, confirm its actual impact on product functionality and security, and devise potential remediation plans. During this phase, PSIRT will also continuously coordinate with the reporter on disclosure timing and related details, maintaining two-way communication.
Remediation & Validation	Once the remediation approach is confirmed, PSIRT will work with the R&D team to implement the fix. The R&D unit will then validate the effectiveness of the remediation to ensure it does not cause other functional errors or system instability. If necessary, a hotfix or version update will be arranged to notify customers.
Disclosure & Announcement	After remediation is completed, a formal security advisory will be published, including a description of the vulnerability, affected versions, and remediation guidance. We follow a 90-day coordinated vulnerability disclosure (CVD) principle and disclose vulnerabilities in coordination with the reporting party. The disclosure timeline may be adjusted based on severity, remediation complexity, and mutual agreement. Advisories are generally published once remediation is available or an agreed disclosure date is reached. We do not guarantee that a patch or update will be available within a specific timeframe.

II. Reporter Expectations

• To ensure a coordinated and effective disclosure process, we ask that vulnerability reporters:
• Refrain from publicly disclosing the vulnerability until a fix is available or a mutually agreed disclosure date is reached.
• Provide sufficient technical detail to allow our team to reproduce and validate the issue.
• Act in good faith and avoid actions that could compromise the availability, integrity, or privacy of our systems or user data.
• Allow a reasonable timeframe for remediation before pursuing public disclosure.

III. Scope of Vulnerabilities

• Quanta Computer PSIRT accepts reports on security vulnerabilities affecting Quanta Computer's own products and services, including but not limited to firmware, software, and hardware design flaws.
• The following are generally considered out of scope:
• Vulnerabilities in third-party components not developed or maintained by Quanta Computer.
• Social engineering attacks (e.g., phishing).
• Physical attacks requiring direct access to the device.
• Denial-of-service attacks that do not exploit a specific vulnerability.

IV. Contact information

• Email：PSIRT@quantatw.com (PGP encryption recommended)
• PGP Public Key

V. Suggested Information to Include

• Product and version where the issue was found
• Type of vulnerability and reproduction steps (including PoC or demonstration)
• Your contact information (if you wish to receive a response)

VI. Our Commitments

• Our company supports the principle of Coordinated Disclosure.
• We will not take legal action against good-faith reporters.
• Dispute and Escalation Policy

VII. Vulnerability Announcements

Product	Vulnerability Fix Status
QCT Product	Product official website link
QOCA	Product official website link
CAMP	Product official website link