This document details our Vulnerability Disclosure Policy. With this policy we aim to ensure the clearest communication of our objectives and of our vulnerability disclosure process to affected vendors and the general public.
This policy should be seen as a guideline. Not all vulnerabilities are the same, and as such not all can be handled exactly the same.
We believe that the steps detailed in this policy strike the balance between the different concerns of all the parties.
We sometimes discover previously unknown vulnerabilities which may have an impact on both our clients and others.
With the disclosure process we aim to open a communication channel with the affected vendor(s) in order to transmit the details of the identified vulnerabilities to make sure that they can be addressed and fixed as soon as possible, reducing the exposure of users to the risk of being exploited by malicious actors.
The utmost objective is that both our clients and the general public are protected from these vulnerabilities by applying a fix developed by the vendor as soon as possible. When this is not possible, we aim to give enough information to affected parties so that compensating measures can be implemented to mitigate the vulnerability.
We also believe that publishing information of these vulnerabilities will help other security professionals in assessing the systems they're responsible for, by helping them identify whether those systems are vulnerable or adequately patched.