Third-Party User Enumeration Issue Resolved

We were recently made aware of a user enumeration issue on the login page of SumTotal’s training website, a learning management solution that Qualys uses for its training and certification site. Upon learning of the issue, we immediately worked through the vendor to get it fixed. The training website is completely segregated from the Qualys Cloud Platform; therefore, no customer data was ever at risk or compromised.

Qualys uses a learning management solution, SumTotal Learning Management, for hosting various training and certification courses for Qualys apps. This training portal is a third-party website and can be used by anyone, including Qualys customers to register and participate in free training. The training website is completely segregated from the Qualys Cloud Platforms which are deployed globally and where we host our customers. No data from the Qualys Cloud Platform is shared with this training website.

The issue, which was ethically reported to Qualys, is publicly described, and highlights that the user enumeration was informative only and provided information on whether an account for a particular e-mail ID was valid, and apart from that, no other information was accessible.

We maintain a very high data standard for our platform.  We expect our partners to have similar high data standards and we are continually working with them to ensure they maintain this standard.

Leave a Reply