Disclosure policy

This document outlines the policy used by SecurityLab to inform product vendors, customers, and the general public about detected flaws and publicly disclose information about vulnerabilities.

SecurityLab takes responsibility to inform vendors about flaws discovered in their products and is ready to cooperate with vendors to eliminate vulnerabilities or develop workarounds.

If a vendor does not provide security contacts, SecurityLab will send an email containing a request to the vendor’s certain public e-mail addresses. According to the SecurityLab policy, submitting information about vulnerabilities via online forms is prohibited, although these forms may be used for requesting contact information. Once a security contact has been identified, an email is sent containing a notification about security issue and a request for a S/MIME certificate in order to send the detailed information in an encrypted form. If the certificate is not provided, vulnerability details will be sent unencrypted at the vendor's own risk. Otherwise, an encrypted email message containing all relevant information will be sent. Whether or not SecurityLab received a response from the vendor, vulnerability details will be sent to the Computer Emergency Response Team (CERT) in no longer than 20 days since the initial vendor contact. Upon receiving vulnerability details, CERT will publish a security advisory according to its own disclosure policy in the timeframe of about 45 days.

Vulnerability details are publicly disclosed on the following web sites:

Document version 1.2