Categories
With increasingly rampant cyberattacks and ransomware, cybersecurity has become the top concern for both enterprises and individual users. QNAP recognizes the critical importance of cybersecurity to user trust and product stability. Through our Product Security Incident Response Team (PSIRT), QNAP continuously strengthens its cybersecurity governance mechanisms, demonstrating excellent results in vulnerability response, risk control, and global collaboration.
Joining Forces with the Global Cybersecurity Community to Strengthen Cybersecurity Resilience
QNAP actively participates in the global cybersecurity ecosystem, building close collaborations with security research organizations and the white-hat community. In recent years, QNAP has continued sponsoring Trend Micro’s Zero Day Initiative (ZDI) and participated in world-renowned cybersecurity competitions such as Pwn2Own Ireland and the Matrix Cup, enhancing its vulnerability handling capabilities through hands-on exercises. During these competitions, QNAP’s dedicated team also promptly analyzes and patches disclosed vulnerabilities, while simultaneously issuing operating system update notifications to users.
At the same time, QNAP collaborates with over a hundred cybersecurity researchers worldwide to promote coordinated vulnerability disclosure and remediation mechanisms, covering various aspects including web interfaces, backend services, and firmware vulnerabilities. French cybersecurity expert Thomas Fady also praised our efforts: “Over the past two years, QNAP has worked closely with us, proactively tracking security developments and responding swiftly and effectively. We have clearly seen their increasing commitment to cybersecurity, as well as the substantial progress achieved.”
Overview of QNAP PSIRT Achievements in 2024
Over the past year, QNAP PSIRT has demonstrated high efficiency and transparency in incident reporting and response, with the following concrete achievements:
- Published over 40 security advisories, covering vulnerability fixes, emergency guidance, and security recommendations
- Assigned more than 100 Common Vulnerabilities and Exposures (CVE) IDs, contributing to the global cybersecurity database
- Distributed cumulative rewards exceeding NT$1 million through the Security Vulnerability Reward Program, covering both internal and external disclosure channels
Response times for high-risk vulnerabilities are also rapid:
- Completed vulnerability analysis within an average of 9 hours
- Released patches within 14 hours
- Issued incident reports and user guidance within 24 hours
Integrating Across Departments to Achieve Proactive Security Development
QNAP PSIRT adopts a committee-based structure, with the R&D, security, legal, customer support, and marketing departments collaboratively participating in cybersecurity governance. It has also fully implemented the DevSecOps development process, conducting automated static and dynamic security analyses at the code submission stage to make security checks an integral part of daily development. Furthermore, it continuously integrates automated scanning tools to further improve the accuracy of vulnerability detection.
Building a Multi-Layer Defense: Simultaneous Deployment of Backup Strategies and Anomaly Detection
In response to increasingly sophisticated ransomware threats, QNAP offers comprehensive solutions for users, spanning from data backup to network anomaly detection. The Hybrid Backup Center provides centralized management for multi-NAS backup and restore operation. The AirGap+ feature, integrated with QHora routers, automatically isolates the network during backup operations, effectively reducing the risk of data exposure. Additionally, the ADRA NDR (Network Detection and Response) solution delivers proactive internal network detection and defense, quickly identifying lateral malware movement and abnormal connection behavior within the network, further strengthening internal network protection.
In terms of educational outreach, QNAP regularly releases security configuration guides, instructional videos, and best-practice examples each quarter to help users adopt proactive defense strategies. Built-in mechanisms such as App Armor permission controls and CGI protections are also continuously improved to further enhance overall cybersecurity defenses.
Advancing Software Supply Chain Transparency and AI Security Governance
In 2025, QNAP officially implemented the SBOM (Software Bill of Materials) framework to ensure that all third-party open-source components used in its products have comprehensive lists and licensing information, enabling rapid risk assessment and remediation whenever a component is found to have a security vulnerability. At the same time, in response to the rise of AI development, QNAP has established a standardized GenAI code review procedure, reinforcing code quality control and cybersecurity from the early stages of development. This multi-layered approach prevents potential vulnerabilities and sensitive data leaks, strengthening overall cybersecurity resilience.
The Ongoing Journey of Cybersecurity Governance, QNAP Keeps Forging Ahead
From cybersecurity incident response and proactive development to community collaboration and policy innovation, QNAP consistently upholds the principles of transparency, agility, and cooperation to strengthen its cybersecurity governance. QNAP will continue to act on its cybersecurity commitments by enhancing internal and external risk detection and control mechanisms, delivering a safer, more resilient, and trustworthy digital storage and networking environment for users worldwide.
