This document outlines SecureState’s zero-day vulnerability disclosure process.
In an effort to get vulnerabilities fixed to protect clients and to hold software developers accountable for their products, upon finding a zero-day vulnerability, SecureState:
- Will make a good faith effort to contact the vendor via email, telephone, etc., and will utilize MITRE, CERT, and others for vendor contact if needed. Public contact sources (email address, telephone number, etc. on affected party’s site) will be used.
- After two failures to respond to our contact, with a 5 business day waiting period following each effort, SecureState will publish full details of the vulnerability.
- Will plan to publish full details of the vulnerability, fix/patch, and exploit (if available) 20 business days from the vendor acknowledgement date.
- Will work with vendors, within reason, that suspect they cannot meet the 20 day timeframe.
- Will provide vendor exploit/steps to recreate vulnerability at their discretion.
- Asks that vendors provide a point of contact upon vulnerability acknowledgement.
- Asks that vendors give weekly updates on the progress of a fix.
- Asks that vendors give credit to SecureState for researching in release notes, advisory, etc. At minimum: “Thank you to John Doe of SecureState for providing us with this information.”
- Asks that vendors provide accurate information about fixes to be released with the full disclosure.