cirosec follows this responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project (referred to as “entity” below) enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices.
If the vulnerability was discovered as part of a customer project, the plan of action is coordinated together with the customer. We explicitly recommend, however, to follow the same process as if the vulnerability was discovered during internal cirosec research as described in the following.
cirosec Security Advisory
Having found a publicly unknown vulnerability, cirosec will document it in the form of a cirosec security advisory (CSA). The advisory may include the following:
Reporting of a vulnerability
If the entity works with a third-party bug-bounty partner, cirosec will use this channel to report the vulnerability. If this is not the case, cirosec will report the vulnerability directly to the entity that is responsible for developing the fix. First, the publicly documented communication channel for security issues is used. If no official security contact can be identified or no response is received within 7 days, more communication attempts by email or phone to the most appropriate contact of the entity are made where possible. As a last resort, we may try to get in contact with the entity over social networks, such as X (formerly known as Twitter).
The 90 + 30 days disclosure deadline policy
cirosec follows a 90 + 30 days disclosure deadline policy, which means that after cirosec has notified an entity about a security vulnerability, the entity has 90 days to make a fix available to users. If no response from the entity is received within 7 days, more communication attempts are made. If we are not able to get any response from the entity within 21 days after our first contact attempt, we may publish technical details of the vulnerability.
In case the entity provides a patch within 90 days, cirosec will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.
For example:
Therefore, each cirosec security advisory will contain the following statement:
This vulnerability is subject to a 90 + 30 days disclosure deadline starting today (YYYY-MM-DD). If a fix for this issue is made available to users before the end of the 90-day deadline, cirosec will publish a vulnerability report 30 days after the fix was made available. Otherwise, this vulnerability report will be published at the end of the deadline (YYYY-MM-DD).
If the fix is expected to be published within 14 days of the deadline expiring, then cirosec may offer an extension to align with patch management cycles of the entity. There will be no further prolongation beyond those 14 days.
If the entity indicates that a fix will not be issued, for example, because the entity does not assess the finding as a security vulnerability or the entity states that it cannot be fixed, cirosec may publish technical details immediately.
Disclosure details
cirosec will decide if and how detailed the vulnerability is disclosed based on each individual case. The same applies to publishing proof-of-concept or exploit code.
Technical vulnerability details are published on the cirosec website.
Bug Bounty Policy
As cirosec is specialized in penetration testing itself and regularly publishes advisories regarding standard software products, we appreciate the work of other external security researchers that find bugs in software products, websites or APIs.
Given the nature and focus of our business we take information security very seriously and invest a lot of resources in the security of our own IT infrastructure. However, we are aware that humans make mistakes, and therefore we might be vulnerable as well and miss a vulnerability in the regular scans and penetration tests of our own infrastructure.
If you find vulnerabilities in one of our websites or externally visible IT systems, we want to hear from you, and you may receive a bounty award depending on the criticality and relevance of the vulnerability. Please report such vulnerabilities to ciso@cirosec.de.
Version 1.1 – October 18, 2024