Responsible Disclosure Policy

Purpose

This policy sets forth the reporting and disclosure process that I follow when I discover security vulnerabilities in third party products and services.

Policy

This policy must clearly state the timeline, actions, and responsibilities equally available to all providers.

Vulnerability Reporting and Disclosure

If a vulnerability is found in a vendor’s product or service, I will attempt to contact the provider by email to notify the vendor of such discovery. I will initially attempt to create a secure communication channel with the provider by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by me within seven (7) days, then a description of the vulnerability will be sent by email to the provider in plain text.

My approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.

If I discover a vulnerability in a provider’s product or service, it will take the following steps:

In the interest of fostering coordinated vulnerability disclosure, I will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary. If the provider releases a patch or mitigation for the vulnerability before the 90th day, then I will disclose the full vulnerability report immediately following provider’s release of such patch or mitigation.

Definitions

For purposes of this policy, the following definitions apply: