This policy outlines how Blue Frost Security handles responsible disclosure of security vulnerabilities to affected vendors and the general public. Blue Frost Security persuades several goals with the responsible disclosure process. On the one hand we want to inform the public about identified security vulnerabilities as soon as possible. Furthermore we want to ensure that vulnerabilities are patched and fixes are provided by the vendor as quickly as possible to allow end-users to protect themselves. On the other hand we believe that security advisories should actually provide added value to the reader. We strive to publish detailed advisories with as much technical information as possible about the vulnerability to provide a benefit to other security researchers and the security community as a whole.
Time is critical when new vulnerabilities are identified. The offensive security community is spending a huge amount of time and effort in performing vulnerability research on high profile targets. When we identify a new publicly unknown vulnerability in such a target, chances are that the vulnerability is already known by other advanced groups who are using it for their own malicious purposes. Therefore we try to work with the vendor to address the risk as quickly as possible.
After we identified a previously unknown vulnerability, we prepare a security advisory with technical information about the vulnerability as well as a proof of concept. The vendor of the affected product will be contacted through the documented communication channel for security issues. If no official security contact can be identified, communication attempts by email or phone to the most appropriate resources of the vendor are undertaken. If no vendor response is received within 2 weeks after the initial contact, Blue Frost Security will work with a coordinator, such as CERT/CC (http://www.cert.org) to disclose the vulnerability to the public.
After a first vendor response was received, Blue Frost Security adheres to a 90-day disclosure deadline after which the vulnerability details will be published. Details are published sooner if the vendor releases a fix. In addition to the 90-day disclosure deadline, we apply the following rules which are taken verbatim from the Google Project Zero policy:
- Weekends and holidays: If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- 14-day grace period: If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. This way the public disclosure of an unpatched issue will only occur if a deadline will be significantly missed (2 weeks+).
- Assignment of CVEs: CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it's important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we'll ensure that a CVE has been pre-assigned.
In general, we reserve the right to extend or shorten the disclosure deadline based on extreme circumstances such as active exploitation, or other known threats. We believe that this policy will help to decrease the response times to security bugs by vendors and lastly improve the end-user's security.