-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Responsible Disclosure Policy
Introduction
In the course of security research, MDSec regularly discover weaknesses in fully patched and up to date software. In this scenario, MDSec attempt to responsibly disclose relevant information to the vendor and public to ensure that an appropriate patch can be developed and the wider community can benefit from the fix.
Purpose
The purpose of this policy is to:
• Formalize the process in which MDSec will responsible disclose a vulnerability,
• Inform vendors and other third parties of MDSec’s approach,
• Minimize the risk for all concerned parties,
• To minimize the time and resources that all concerned parties require to manage a vulnerability.
Process
The basic process involved in reporting a vulnerability to a vendor is detailed within the subsequent sections. This process is divided in to 5 logical steps:
- Discovery
- Notification
- Validation
- Remediation
- Disclosure
Step 1: Discovery
When a vulnerability is first discovered, MDSec will investigate the flaw and attempt to clarify its impact. If a vulnerability is discovered during a client engagement, MDSec will liaise with the client and agree a suitable course of action to responsibly disclose the issue.
Following the initial discovery and where necessary, agreement with the client, MDSec will attempt to identify the appropriate security contact within the vendor.
Step 2: Notification
During this step, MDSec will notify the vendor of the identified vulnerability.
Where no public communication channel has been determined through step 1, MDSec will attempt to establish contact using the security@, alert@, info@ and support@ e-mail addresses of the vendor’s primary domain.
The initial notification will contain no specific information about the vulnerability but act as a means to agree a secure communication channel. Once a secure communications channel has been established, MDSec will provide the vendor with a detailed analysis of the vulnerability.
Once the initial notification e-mail has been sent, MDSec expect an acknowledgement of receipt from the vendor within 7 days. If no acknowledgement is received from the vendor, MDSec reserve the right, at its discretion, to accelerate the vulnerability disclosure process to step 5.
Step 3: Validation
During this phase it is expected that the vendor will attempt to reproduce the vulnerability. MDSec will provide the vendor with a detailed analysis of the vulnerability as part of step 2. If this analysis is not sufficient for the vendor to reproduce the vulnerability, the vendor should inform MDSec that further information is required within 30 days of the initial notification.
When the vendor has reproduced the vulnerability and within the aforementioned 30 period, it is expected that the vendor will provide MDSec with a response indicating if the vulnerability is already known and a timeline for remediation.
If the vendor is aware of any other products that may be affected by the vulnerability, the vendor will provide MDSec with this information. In this scenario, the vendor agrees that MDSec will notify these additional vendors. There is no direct relationship between the timeline to report the vulnerability to other vendors and the initial vendor. MDSec, at its own discretion, may adjust the disclosure timeline accordingly to incorporate response time for other vendors.
Step 4: Remediation
MDSec is committed to ensuring that all vulnerabilities are fixed and a patch provided to the public. Where a patch is not feasible, the resolution of the vulnerability should include a workaround, configuration change or redesign such that the exposure of the vulnerability is removed.
During this phase the vendor will develop and test the fixes for the reported vulnerability. When a fix has been developed, the vendor will notify MDSec of the fix and where possible, provide MDSec with an early fix in order to validate that the issue has been successfully resolved.
MDSec appreciate that developing and testing a patch can be a time consuming process. As a guideline, MDSec expect that any vulnerability can be resolved within 90 days of the initial notification. There are however many valid reasons why a vulnerability is not remediated within a specific timeframe. MDSec will therefore, in good faith, not publicly disclose the issue until a fix is available, providing that the vendor provides regular updates on the remediation process and a suitable timeline can be agreed.
Step 5: Disclosure
MDSec will notify the vendor of the disclosure date in accordance timelines and caveats outlined in steps 3 and 4.
On the disclosure date MDSec will release a security advisory on its website, as well as emailing the advisory to security mailing lists such as Bugtraq and Full Disclosure.
If another party reports the vulnerability before the disclosure date, MDSec will immediately disclose the vulnerability to its customers and the public.
In some cases, MDSec may include technical information on how to exploit the bug as part of its security advisory.
