Vulnerability Disclosure Policy


Sometime in our daily job we find previously unknown vulnerabilities from public databases like Securityfocus BugTraq (BID) (http://www.securityfocus.com/bid).
This mean that, if found by someone else, these vulnerabilites can be used with malicious intent.

In this case the researcher who has found the vulnerability has mainly four options:
1. Do nothing
2. Full disclosure: all the details of vulnerability is publicized
3. Report to the black/gray market (to get money)
4. Responsible disclosure (aka coordinated vulnerability disclosure aka CVD)

First option is the easiest one for the researcher: no additional work.
Second option is quite easy too and very interesting for the security community as everyone can directly use the vulnerabilities straightaway. Unfortunatelly this way bad guys are aware of the vulnerabilites too and can exploit them straightaway too.
Third option is interesting for the researchers to get money but unfortunatelly the vendors don’t always get the information quickly so the software remains vulnerable longer.
Last option is interesting for everybody: researchers, vendors and clients. The vulnerabilities are reported to the vendors and when an update is released the vendors may acknowledge the researcher in the advisories.

As we try to protect our clients, vendors and users of affected products at the same time, we prefer the last option (responsible disclosure) which is described this way by CERT/CC (https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642):

When a vulnerability is found by a reporter, the reporter informs the vendor and suggests a timeline for disclosure. The amount of time varies greatly based on the organization.
The vendor and reporter typically work together to provide a simultaneous public disclosure after a patch is ready. The disclosure may be Limited Disclosure or Full Disclosure after the timeline has expired.
In cases where the vendor and reporter do not agree on a timeline, or the vendor is unresponsive, the reporter may publish anyway at the end of the original proposed timeline.