Vulnerability Disclosure Policy

Purpose

• To educate the vendor of the vulnerability and risk reduction through vendor patch or workaround development
• Bulletproof to understand how the vendor intends to fix the vulnerability and risk reduction through developing protections in Bulletproof’s products and services
• Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch/workaround as well as protections and security controls that can prevent exploitation of the vulnerability

Aims

• Education of the vendor regarding the vulnerability and risk reduction through vendor patch or workaround development
• Education of Bulletproof on how the vendor intends to fix the vulnerability and risk reduction through developing protections in Bulletproof’s products and services
• Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch/workaround as well as protections and security controls that can prevent exploitation of the vulnerability

Definitions

• The vendor is the individual, group, or company that maintains the software, hardware, or resources that are related to the vulnerability
• The date of contact is the point in time when Bulletproof initially contacts the vendor about the vulnerability
• All dates, times, and time zones are relative to location of Bulletproof’s geographical location
• All day counts are calendar

Policy

1. The vendor will be given 14 days from the date of contact for an initial response. Within the 14 days, three attempts at contact will be made. Should no contact occur by the end of 14 days, Bulletproof will evaluate the risk to our clients and may decide to disclose the vulnerability to its clients, at a minimum.
2. Bulletproof will provide a best effort to honour requests from the vendor for additional information or help in reproducing the vulnerability. This will include providing configuration details and the scenario in which the vulnerability was discovered.
3. The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Bulletproof will view the vendor as non-responsive and will consider public disclosure.
4. The vendor is encouraged to provide reasonable credit to Bulletproof and to the researcher responsible for discovering the vulnerability. Suggested (minimal) credit could be: "Credit to [researcher name] from the Penetration Testing Team at Bulletproof for disclosing the vulnerability to [vendor name]."
5. The vendor is encouraged to coordinate a joint public release/disclosure with Bulletproof so advisories of the vulnerability and resolution can be made available together.
6. The vendor will be given a maximum of 90 days after the date of contact to release a patch. After 90 days Bulletproof will consider public disclosure.
7. If a third party publicly discloses the vulnerability during this process, disclosure will be considered to be public and Bulletproof will work with the vendor for immediate disclosure.
8. If the vulnerability is being actively exploited in the wild, Bulletproof will work with the vendor on an escalated disclosure timeline potentially less than seven days after the date of contact if exploitation is experienced on a wide and public scale.
9. Proof of concept code or technical explanation of exploitation of a vulnerability that is rated critical may be withheld for up to 14 days after public disclosure to allow time for organisations to protect themselves.