Skip to content

Public security advisories released by the consultants of Blaze Information Security

Notifications You must be signed in to change notification settings

blazeinfosec/advisories

Repository files navigation

Security advisories

Public security advisories released by the consultants of Blaze Information Security

Vulnerability disclosure policy

Last modified: 28 July 2016

Contacting the vendor

Blaze Information Security will try to contact the vendor via commonly established vulnerability disclosure channels such as security@vendor, security-alert@vendor, psirt@vendor and similar e-mail addresses. Should this contact attempt not produce any response, the research team will try to contact the vendor via telephone.

In case of successful receipt of the vulnerability information (i.e., e-mail did not bounce) but no response from the vendor, Blaze Information Security will attempt a second contact with the vendor 7 days after the initial notification. If the vendor is not responsive in 15 days after the second attempt, details about the vulnerability will be made public regardless of the existence of a patch or a workaround to mitigate the issue.

If the vendor does not have a well-established vulnerability disclosure channel, Blaze Information Security will ask CERT/CC to intermediate the process. If this last attempt fails, Blaze reserves the right to publicly disclose all relevant information regarding without any further warning to the vendor.

Delivering the vulnerability report

Whenever possible Blaze will send the details about the vulnerability via e-mail, encrypted with PGP. Our public key can be found in the appendix [1].

What we expect from vendors

Vendors are expected to provide a patch for the vulnerability in 45 days. Under some exceptional circumstances this grace period can be extended up to 90 days, depending on the severity of the vulnerability and the difficulty to have it fixed. In case a patch is not available by the end of the established time frame, details of the vulnerability will be publicly disclosed.

Disclosure of proof of concepts

We strongly believe security advisories have to contain substantial information to reproduce the vulnerability. This includes the presence of a working proof of concept in the advisory. While at least a simple proof of concept will be made available in most cases, it is at the discretion of Blaze Information Security to disclose weaponized exploits with its advisories.

Appendix

[1] Public key: https://pgp.mit.edu/pks/lookup?op=get&search=0x09BDAA7993E7AE65

About

Public security advisories released by the consultants of Blaze Information Security

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published