My vulnerability disclosure policy is only relevant to vulnerabilities identified individually by me and reported to Vendors, CERT bodies, CNAs, CVE bodies or any similar organization. The policy has nothing to do with my workplace or vulnerability disclosure policy present at my workplace.
I believe vulnerability disclosure is a two-way street. Venders and researchers MUST act responsibly. This is why I mostly follow a 45-day policy.
- Upon discovery of a vulnerability, the vendor is notified via -
1) Email mentioned in the vulnerability disclosure policy of the vendor.
2) If there is no vulnerability disclosure policy or email address, there shall be an attempt to contact using any information in the “Contact Us” page.
3) If there is no possible way to identify contact information of the vendor, there shall be an attempt to contact the vendor using either the CERT body of that country or CERT CC.
- Upon for first attempt to establish contact, there shall be a 45 day period wait for a response for the vendor.
- If the vendor fails to repond within 45 days, I (the researcher) shall proceed with public disclosure with the defensive community.
- If the vendor responds with a request for extension to 45 days to write a patch, an additional 45 days shall be provided upon discresion of the researcher.
- If the discovered vulnerability is already being exploited in the wild, the disclosure shall be done in 5 days from the day of attempted contact with the vendor so that the community can start to build patches for the vulnerability.
For some time now I have followed No Disclosure policy, but because of certain vendors and their responses, I believe limited disclosure are more beneficial.
I mostly do Limited Disclosures and Coordinated Disclosures. And for a few vulnerabilities, I do some Full Disclosures. The only period when I do no disclosure is if a organization approaches me giving me access to some unique software and have some kind of NDA around it or until I have time.
As per CERT/CC, there the disclosure types (available at: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642) are as follows:
- No Disclosure – When a vulnerability is found, all information about the vulnerability is kept private. Sometimes this is enforced by non-disclosure agreements (NDAs). Vendors sometimes prefer this scenario to protect secrets, as well as certain researchers that wish to do the same.
- Limited Disclosure – When a vulnerability is found, only some information about the vulnerability is disclosed. The goal is typically to slow down reverse engineering and exploit development long enough for a fix to be developed and deployed. This is done by withholding proof of concept code or other technical details of the vulnerability.
- Full Disclosure – When a vulnerability is found by a reporter, all information about the vulnerability including proof of concept should be disclosed immediately. The belief is that this disclosure serves the greater good by allowing consumers to be aware of issues in their products, and demand action from vendors, as well as have information available to make more informed purchasing decisions. Security researchers tend to favor this approach. The vendor is typically not informed prior to disclosure, or at least has a very small window (typically < 1 day) to act. Alternately, this type of disclosure may also be performed by the vendor themselves: many open source projects, for example, handle security issues in the open in order to maximize review of the vulnerability and testing of the proposed solution.
- Responsible Disclosure – When a vulnerability is found by a reporter, the reporter informs the vendor and suggests a timeline for disclosure. The amount of time varies greatly based on the organization. The vendor and reporter typically work together to provide a simultaneous public disclosure after a patch is ready. The disclosure may be Limited Disclosure or Full Disclosure after the timeline has expired. In cases where the vendor and reporter do not agree on a timeline, or the vendor is unresponsive, the reporter may publish anyway at the end of the original proposed timeline. In the CERT/CC’s opinion, the term “responsible” is too vague. The word “responsible” tends to draw focus toward “good” and “bad”, rather than objectively searching for a way to address a problem that was discovered.
- Coordinated Disclosure – Coordinated Disclosure is the CERT/CC’s preferred terminology for the older “Responsible Disclosure”. Among others, Microsoft has advocated for coordinated disclosure. Otherwise, Coordinated Disclosure and Responsible Disclosure are the same thing. Often, you will see Coordinated Vulnerability Disclosure abbreviated as CVD.