Vulnerability Disclosure Policy

This document details our Vulnerability Disclosure Policy. With this policy we aim to ensure the clearest communication of our objectives and of our vulnerability disclosure process to affected vendors and the general public.

This policy should be seen as a guideline. Not all vulnerabilities are the same, and as such not all can be handled exactly the same.

We believe that the steps detailed in this policy strike the balance between the different concerns of all the parties.

Why

We sometimes discover previously unknown vulnerabilities which may have an impact on both our clients and others.

With the disclosure process we aim to open a communication channel with the affected vendor(s) in order to transmit the details of the identified vulnerabilities to make sure that they can be addressed and fixed as soon as possible, reducing the exposure of users to the risk of being exploited by malicious actors.

The utmost objective is that both our clients and the general public are protected from these vulnerabilities by applying a fix developed by the vendor as soon as possible. When this is not possible, we aim to give enough information to affected parties so that compensating measures can be implemented to mitigate the vulnerability.

We also believe that publishing information of these vulnerabilities will help other security professionals in assessing the systems they're responsible for, by helping them identify whether those systems are vulnerable or adequately patched.

How

  • Whenever we identify a previously unknown vulnerability, we will make a reasonable effort to contact the affected vendor to share the details so the vulnerability can be fixed;
  • We expect that the vendor will reply within 2 weeks of our first attempt to establish contact;
  • We will keep an open line of communication in order to clarify any questions the vendor may have;
  • We expect the vendor to inform us of the timeline for the fix;
  • During this period we will obtain a CVE id from either MITRE or the vendor (if it's a CNA);
  • We will publish an advisory with the details of the vulnerability 90 days after our initial attempt to contact the vendor, or sooner if a patch has been issued and disclosure coordinated with the vendor;
  • The postponing of this 90 days deadline is subject solely to our discretion, based on our assessment on whether the vendor does need additional time to fix the vulnerability and issue patches;
  • In cases when the vendor is or becomes unresponsive we will publish details of the vulnerability so that affected users can implement compensating controls to mitigate the vulnerability.