Vulnerability Disclosure Policy (VDP)
Last revision: November 6th, 2024
The vulnerability disclosure policy has the following goals
To ensure vendors are given a reasonable amount of time to address reported issues.
Provide the security community and affected users with honest, useful, and actionable vulnerability details.
Protect vulnerability reporters' privacy and, if requested, anonymity.
Reduce bureaucracy by providing a simple way of reporting vulnerabilities brought forward by any person who identifies a vulnerability.
VULSec Labs coordinated disclosure process
VULSec Labs aim is to practice coordinated disclosure, where reasonable and possible.
VULSec Labs will attempt to contact the affected vendor with the vulnerability details, and provide a deadline to fix the issues and publish an advisory.
VULSec Labs will remain in contact with the vendor to coordinate a date for the coordinated publication of the advisories.
VULSec Labs will aim to release a controlled advisory before the coordinated date, depending on the vendor response and resolution timetable, up to 90 days upon which full disclosure will be performed as practiced by Google Project Zero CNA Root. Lack of cooperation or response may result in full disclosure as soon as 45 days, as performed by CISA, or earlier as (exclusively) determined by VulSec Labs.
A full third-party vulnerability advisory will be published by VULSec Labs:
Coordinated disclosure
The vendor has released a patch or advisory.
The vendor has agreed to the publication.
Uncoordinated disclosure - Determined (exclusively) by VulSec Labs, with or without prior notice to the vendor
The vendor accepted SLA has lapsed.
The vendor has failed to respond to our contact attempt or declined/disagreed to any requirement provided to the vendor.
The vendor has provided, per VULSec Labs assessment, an unreasonable timetable for resolution or has failed to respond
to initial or further communications from VULSec Labs. Full disclosure will be performed within 45-90 days.The vulnerability has been found to be utilized "in-the-wild" by malware or threat actors.
The vulnerability details or PoC has been found in an accessible location or publication, such as the Internet or a forum.
The vulnerability threat or impact was determined to require uncoordinated disclosure, e.g. large / widespread impact, low impact.
The vendor is acting in an unprofessional manner.
Any vendor published patch is deemed by VULSec Labs as a vendor public disclosure.
Timeline extensions will not be accepted.
Communications with VULSec Labs will be performed over eMail.
VULSec Labs will not participate in vulnerability disclosure programs that prohibit public disclosure or in any way attempt to control or coerce VULSec Labs work. This VDP supersedes any vendor (or other entities) VDP, regardless of any vendor (or other entities) VDP / other legal statement - regardless of VulSec Labs supposed / declared agreement due to some vendors (and other entities) restricting access to their contact/report details.
Any vendor response, requesting the vulnerability details or discussing a timeline, is deemed as full irreversible acceptance of this policy. The VULSec Labs policy takes precedence over the vendor policies.
VULSec Labs reserves the right to deviate from, or change, the outlined process.
Any person or entity operating on behalf of VulSec Labs, including in coordinating or reporting a vulnerability/disclosure to a vendor or other entity, is subject to this VDP and protected by it, and deemed as operating under this VDP as VulSec Labs.