Disclosure policy

Disclosure policy

This document outlines the policy used by SecurityLab to inform product vendors, customers and the general public about detected flaws and publicly disclose information about vulnerabilities.

SecurityLab takes responsibility to inform vendors about flaws discovered in their products and is ready to cooperate with vendors to eliminate vulnerabilities or deploy workarounds.

1. If vendor does not provide security contacts, SecurityLab will send an email containing a request to certain public e-mail addresses associated with the vendor. According to the SecurityLab policy we never submit information about vulnerabilities via online forms, but we may use these forms to request contact information.
2. When a security contact or other relevant e-mail address has been identified, information about discovered vulnerability is sent to vendor.
3. In case the vendor does not respond to the initial email within five work days, the mail is resent. If the vendor does not respond to the second email within five work days, SecurityLab may publicly disclose vulnerability details.
4. If the vendor replies:
   • An email with vulnerability details and preset disclosure date will be sent to the vendor. A new disclosure date may be set in case the vendor cannot meet the preset date.
   • SecurityLab expects constant status updates from the vendor. If status updates are not a part of the vendor’s policy, SecurityLab will send monthly status update requests.
   • If the vendor does not reply to status update request within 5 work days, it is resent.
   • If the vendor does not reply to the second status update request, SecurityLab may publicly disclose vulnerability details in 5 work days without further notice.
5. Vulnerability details may be publicly disclosed when:
   • the preset/agreed disclosure date is reached
   • the vendor issues a fix or security advisory
   • the third party publicly discloses vulnerability details
   • active Exploitation of any form or a PoC code is observed on the Internet
   • the vendor does not issue a fix within 6 month from the initial contact date.
   • the vendor acts irresponsibly during the process of vulnerability notification, mitigation, and response coordination. The following are examples of what SecurityLab considers irresponsible acts:
     • Indirectly disclosing the vulnerability by releasing patches without an accompanying advisory notice.
     • Releasing a patch for one affected product version while leaving another affected version unpatched.
     • The vendor becomes unresponsive.
6. SecurityLab reserves the right to pass information about discovered vulnerabilities to the Positive Technologies Research Team for future use in XSpider, MaxPatrol and other products.
7. SecurityLab reserves the right to speed up disclosure of vulnerability details, having previously informed the vendor.
8. Some vulnerability details (security advisory ID, vendor's name, exploitation vector, threat level and advisory issue date) are publicly disclosed before contacting the vendor (see #9).
9. Vulnerability details are publicly disclosed on the following web sites:
   • www.securitylab.ru/lab/ (Russian version)
   • en.securitylab.ru/lab/ (English version)
   • http://www.ptsecurity.ru/advisory.asp

Document version 1.1