My Vulnerability Disclosure Policy
This page outlines my vulnerability disclosure policies, so that no conflict arises later with regard to the timeline and ethics of any public disclosure done by me. Personally, I believe its my responsibility to make all information about a discovered vulnerability available to the users of that software as soon as possible and this is how I would justify the ethics of any full dislcosure I do. In fact, before 0daying a vulnerability, ample time would be given to the respective vendor to fix the issue(s) and provide patch(es). But factors like sluggishness and reluctance on the part of the software maintainer/vendor with regards to coordinated disclosure of the vulnerability might lead to a scheduled full disclosure with or, without notice.
Efforts would be made in good faith to help cooperate with any vendor, prior to any such public disclosures, failing which )or, in case of disputes) I will have the right to fully disclose my findings.
It's an arguable topic as to whether one should practice full disclosure or, not and thus, it definitely raises some questions such as,
- Provide full details for a vulnerability affecting a significant number of users or, not?
- Will this lead to adversaries or, malicious actors to spring into action and potentially misuse the information they gain from these disclosures?
- Is it ethical and responsible?
This Policy page tries to clarify and address some of these points to help the concerned vendor/company and its users, in the event, such a situation happens.
Stages in the Disclosure Process
- Discovery: Identifying vulnerabilities in a vendor's product.
- Contact is established with the concerned vendor: Notifying vendor about the so found vulnerabilities. Repeated attempts to contact the vendor will be made within a 7 days time period.
- Acknowledgement of the findings by vendor: Vendor acknowledges the vulnerability within 7 days (this comes in the 7 days contact timeline policy)
- Assignment of CVE identifier if applicable through Mitre. (In case of non-CNA/non-CNA covered software)
- Deadline for fix/releasing of patch(es): (For non-reward based disclosures i.e. for VDPs) 7 days will be allotted for fixing the issues, in case of vulnerabilities that were not reported through a Bug Bounty Program, or, were not compensated.*
- Public Disclosure: Failure to comply with the above said points, or, in case of discrepancies/anomalies, will result in complete public disclosure of my findings. (applicable for VDPs), including non-compensated disputed cases,
- Details would be published at the end of the timeline/deadline on this blog, and references would be added to the advisory (if applicable) to make it public.
* Note - Deadline for fix will be extended beyond initial the 7 days notice only after vendor provides a satisfactory response/acknowledgement (which excludes automated response, etc.)
This is again subject to my discretion, and in case of disputes, I would fully disclose issues with, or, without prior notice.
Exceptions to the Policy
This solely depends on my discretion and the circumstances. Also, NDAs and other formal agreements might be taken care of before proceeding.
FAQs
Why a public disclosure?
Every public disclosure is done in the spirit of transparency and reluctance of a vendor to address to security issues within its software.
What is your disclosure timeline?
Again, combined, its 14 days. But just to clarify, if the initial pre-condition fails, that is, if vendor fails to respond or, acknowledge the vulnerability within 7 days of initial notice, a final notification may or. may not be served, and finally a public disclosure would be done anytime after that.
How much information would be disclosed?
This should vary depending on my discretion, from partial details to full details.
Will the information be shared with other 3rd parties prior to disclosure?
Yes, the information maybe shared with other (3rd) parties prior to such disclosure subject to my discretion.
Are you ethical in your disclosure process?
Yes, of course I am, because adequate time is being offered to the concerned vendor to secure its product and help keep its users safe. Moreover any information made public through a disclosure is done in the interest of the affected users. So, this is ethically justified from the standpoint of the safety of the affected users above all.
Additional Information
Establishing Contact
If there is no proper way to reach a vendor, attempts would be made through all possible mediums to notify them about it. But, in case, I still fail to reach the vendor, due to vague security contact details, this would result in a full disclosure.
After Contact is Established
Issues will be reported to the vendor, and under normal situations, vendor will be given 7 days time until public disclosure.
In rare situations, the time/deadline to fix the issues might be extended under mutual agreement which solely depends on my decision/discretion.
Note:
Last but not the least, these policies would still be subject to my discretion and circumstances in general.
No comments:
Post a Comment
Let me know what you felt after reading the article!