Purpose of Disclosure
The goal of performing security research and zero day vulnerability disclosure is to ensure that vendors provide timely patches and reduce the risk exposed on their client’s systems. For those in the security community, it is clear that if we find a security vulnerability its probably already being exploited by someone that previously found it. This is why it is so important to remediate vulnerabilities with urgency.
The following process is used when responsibly disclosing vulnerabilities.
Attempts will be made to contact the vendor by sending communications to publicly posted email addresses along with security@ and info@ email addresses. Once contact has been made and a point of contact is setup for the disclosure, details of the vulnerability along with PoC code and screenshots will be shared with the vendor.
During the disclosure process, any requests for more information or details on replicating the issue will be answered to ensure the reported vulnerability can properly be addressed. If the vendor determines the reported issue is not a security vulnerability or will not be addressed, public disclosure of the reported issue will be posted immediately.
It is expected that the vendor work to produce a patch in a reasonable amount of time. This depends on the type of vulnerability and how much work it will take to create a patch but in most cases, a patch is expected within 90 days of disclosure. If the vendor does not plan to patch the vulnerability within 90 days, public disclosure will take place at the 90 day mark. If the vendor is planning a patch but will miss the 90 day deadline, work will be done to coordinate a disclosure timeline if the planned patch release timeline is reasonable.
In the case of critical vulnerabilities where customers were at risk, it is expected that the vendor notify their customers so they 1) know to update their product and 2) can perform any incident response activities due to the exposure.
After a patch is released, the details of the vulnerability will be posted and submitted to MITRE for a CVE if applicable. Depending on the scenario, a 30 day post patch grace period may be requested to give customers time to update their systems after the patch is available.
If the vendor decides to not patch the reported issue, a public disclosure will be posted immediately.