Vulnerability Disclosure Policy

Last revision: August 2nd, 2023

The vulnerability disclosure policy has the following goals

1. To ensure vendors are given a reasonable amount of time to address reported issues.

2. Provide the security community and affected users with honest, useful, and actionable vulnerability details.

3. Protect vulnerability reporters' privacy and, if requested, anonymity.

4. Reduce bureaucracy by providing a simple way of reporting vulnerabilities brought forward by any person who identifies a vulnerability.

VULSec Labs coordinated disclosure process

1. VULSec Labs aim is to practice coordinated disclosure, where reasonable and possible.

2. VULSec Labs will attempt to contact the affected vendor with the vulnerability details, and provide a deadline to fix the issues and publish an advisory.

3. VULSec Labs will remain in contact with the vendor to coordinate a date for the coordinated publication of the advisories.

4. VULSec Labs will aim to release a controlled advisory before the coordinated date, depending on the vendor response and resolution timetable, up to 90 days upon which full disclosure will be performed as practiced by Google Project Zero CNA Root. Lack of cooperation or response may result in full disclosure as soon as 45 days, as performed by CISA.

5. A full third-party vulnerability advisory will be published by VULSec Labs:

   1. Coordinated disclosure

      1. The vendor has released a patch or advisory.

      2. The vendor has agreed to the publication.

   2. Uncoordinated disclosure

      1. The vendor accepted SLA has lapsed.

      2. The vendor has failed to respond to our contact attempt.

      3. The vendor has provided, per VULSec Labs assessment, an unreasonable timetable for resolution or has failed to respond
         to initial or further communications from VULSec Labs. Full disclosure will be performed within 45-90 days.

      4. The vulnerability has been found to be utilized "in-the-wild" by malware or threat actors.

      5. The vulnerability details or PoC has been found in an accessible location or publication, such as the Internet or a forum.

6. Any vendor published patch is deemed by VULSec Labs as a vendor public disclosure.

7. Timeline extensions will not be accepted.

8. Communications with VULSec Labs will be performed over eMail.

9. VULSec Labs will not participate in vulnerability disclosure programs that prohibit public disclosure or in any way attempt to control or coerce VULSec Labs work.

10. Any vendor response, requesting the vulnerability details or discussing a timeline, is deemed as full irreversible acceptance of this policy. The VULSec Labs policy takes precedence over the vendor policies.

11. VULSec Labs reserves the right to deviate from, or change, the outlined process.