Vulnerability Disclosure Policy

Purpose

To educate the vendor of the vulnerability and risk reduction through vendor patch or workaround development

Secrooq to understand how the vendor intends to fix the vulnerability and risk reduction through developing protections in Secrooq's products and services

Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch/workaround as well as protections and security controls that can prevent exploitation of the vulnerability

Aims

Education of the vendor regarding the vulnerability and risk reduction through vendor patch or workaround development

Education of Secrooq on how the vendor intends to fix the vulnerability and risk reduction through developing protections in Secrooq's products and services

Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch/workaround as well as protections and security controls that can prevent exploitation of the vulnerability

Definitions

The vendor is the individual, group, or company that maintains the software, hardware, or resources that are related to the vulnerability

The date of contact is the point in time when Secrooq initially contacts the vendor about the vulnerability

All dates, times, and time zones are relative to location of Secrooq's geographical location

All day counts are calendar

Policy

The vendor will be given 14 days from the date of contact for an initial response. Within the 14 days, three attempts at contact will be made. Should no contact occur by the end of 14 days, Secrooq will evaluate the risk to our clients and may decide to disclose the vulnerability to its clients, at a minimum.

Secrooq will provide a best effort to honor requests from the vendor for additional information or help in reproducing the vulnerability. This will include providing configuration details and the scenario in which the vulnerability was discovered.

The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Secrooq will view the vendor as non-responsive and will consider public disclosure.

The vendor is encouraged to provide reasonable credit to Secrooq and to the researcher responsible for discovering the vulnerability. Suggested (minimal) credit could be: "Credit to [researcher name] from the Penetration Testing Team at Secrooq for disclosing the vulnerability to [vendor name]."

The vendor is encouraged to coordinate a joint public release/disclosure with Secrooq so advisories of the vulnerability and resolution can be made available together.

The vendor will be given a maximum of 90 days after the date of contact to release a patch. After 90 days Secrooq will consider public disclosure.

If a third party publicly discloses the vulnerability during this process, disclosure will be considered to be public and Secrooq will work with the vendor for immediate disclosure.

If the vulnerability is being actively exploited in the wild, Secrooq will work with the vendor on an escalated disclosure timeline potentially less than seven days after the date of contact if exploitation is experienced on a wide and public scale.

Proof of concept code or technical explanation of exploitation of a vulnerability that is rated critical may be withheld for up to 14 days after public disclosure to allow time for organisations to protect themselves.