Responsible Disclosure

Responsible Disclosure Policy

Introduction

In the course of security research, MDSec regularly discover weaknesses in fully patched and up to date software. In this scenario, MDSec attempt to responsibly disclose relevant information to the vendor and public to ensure that an appropriate patch can be developed and the wider community can benefit from the fix.

Purpose

The purpose of this policy is to:

Process

The basic process involved in reporting a vulnerability to a vendor is detailed within the subsequent sections. This process is divided in to 5 logical steps:

  1. Discovery
  2. Notification
  3. Validation
  4. Remediation
  5. Disclosure

Step 1: Discovery

When a vulnerability is first discovered, MDSec will investigate the flaw and attempt to clarify its impact. If a vulnerability is discovered during a client engagement, MDSec will liaise with the client and agree a suitable course of action to responsibly disclose the issue.

Following the initial discovery and where necessary, agreement with the client, MDSec will attempt to identify the appropriate security contact within the vendor.

Step 2: Notification

During this step, MDSec will notify the vendor of the identified vulnerability.
Where no public communication channel has been determined through step 1, MDSec will attempt to establish contact using the security@, alert@, info@ and support@ e-mail addresses of the vendor’s primary domain.

The initial notification will contain no specific information about the vulnerability but act as a means to agree a secure communication channel. Once a secure communications channel has been established, MDSec will provide the vendor with a detailed analysis of the vulnerability.

Once the initial notification e-mail has been sent, MDSec expect an acknowledgement of receipt from the vendor within 7 days. If no acknowledgement is received from the vendor, MDSec reserve the right, at its discretion, to accelerate the vulnerability disclosure process to step 5.

Step 3: Validation

During this phase it is expected that the vendor will attempt to reproduce the vulnerability. MDSec will provide the vendor with a detailed analysis of the vulnerability as part of step 2. If this analysis is not sufficient for the vendor to reproduce the vulnerability, the vendor should inform MDSec that further information is required within 30 days of the initial notification.

When the vendor has reproduced the vulnerability and within the aforementioned 30 period, it is expected that the vendor will provide MDSec with a response indicating if the vulnerability is already known and a timeline for remediation.

If the vendor is aware of any other products that may be affected by the vulnerability, the vendor will provide MDSec with this information. In this scenario, the vendor agrees that MDSec will notify these additional vendors. There is no direct relationship between the timeline to report the vulnerability to other vendors and the initial vendor. MDSec, at its own discretion, may adjust the disclosure timeline accordingly to incorporate response time for other vendors.

Step 4: Remediation

MDSec is committed to ensuring that all vulnerabilities are fixed and a patch provided to the public. Where a patch is not feasible, the resolution of the vulnerability should include a workaround, configuration change or redesign such that the exposure of the vulnerability is removed.

During this phase the vendor will develop and test the fixes for the reported vulnerability. When a fix has been developed, the vendor will notify MDSec of the fix and where possible, provide MDSec with an early fix in order to validate that the issue has been successfully resolved.

MDSec appreciate that developing and testing a patch can be a time consuming process. As a guideline, MDSec expect that any vulnerability can be resolved within 90 days of the initial notification. There are however many valid reasons why a vulnerability is not remediated within a specific timeframe. MDSec will therefore, in good faith, not publicly disclose the issue until a fix is available, providing that the vendor provides regular updates on the remediation process and a suitable timeline can be agreed.

Step 5: Disclosure

MDSec will notify the vendor of the disclosure date in accordance timelines and caveats outlined in steps 3 and 4.
On the disclosure date MDSec will release a security advisory on its website, as well as emailing the advisory to security mailing lists such as Bugtraq and Full Disclosure.

If another party reports the vulnerability before the disclosure date, MDSec will immediately disclose the vulnerability to its customers and the public.

In some cases, MDSec may include technical information on how to exploit the bug as part of its security advisory.

Ready to start testing your applications?

Speak to one of our industry experts and find out how MDSec can help your business.

+44 (0) 1625 263 503

contact@mdsec.co.uk