Securin, Inc. (Securin) as a security service provider and research organization strongly believes that a constructive and coordinated disclosure is the best approach to address and fix a vulnerability. We also believe that these contributions to the security community will be helpful to reduce attack surfaces or vectors against diverse and ever changing threats.
Securin vulnerability disclosure policy applies to any third party vendor products to whom Securin will assign the CVEs for vulnerabilities, if the product is not a part of another CVE Numbering Authority (CNA) scope.
Once a security issue is found the following steps will be taken by Securin to notify the respective parties to fix it.
- Once we have confirmed the vulnerability, we will gather all the necessary information to communicate the details to the affected party.
- Securin will try to establish initial contact with the affected vendor via email regarding the vulnerability with all the supporting documents.
- If we don’t receive a response from the vendor within seven days of sending the mail, another reminder will be sent. If the vendor did not respond or refuses to acknowledge the vulnerability within 14 days from initial contact, Securin will publicly disclose the vulnerability.
- If we receive a response from the vendor, we will notify them about the date of the vulnerability disclosure that we have set.
- The vendor will be allowed 90 days to provide a patch or relevant fix for the issue. If provided, then the vulnerability will be disclosed immediately following the vendor’s patch or fix release.
- If a fix is not provided within the 90 day period and no response is received from the vendor, then we will go ahead and disclose the vulnerability on the afford-mentioned date.
- In the event that the vendor is unable to provide a fix within the deadline, but has communicated Securin regarding the same, then the deadline could be adjusted. A maximum of six months of coordination will be given to the vendor for fixing the vulnerabilities. After that the vendor will be informed and the vulnerability will be disclosed regardless of the fix.
- The 90-day deadline mentioned above is not a hard deadline. Securin can shorten or lengthen the deadline based on certain criteria like the severity of the vulnerability, ease of exploitation, etc.
- Until the completion of the disclosure process, Securin will maintain confidentiality of any communication to and from the vendor. However, we will disclose the vulnerability to the public irrespective of the vendor’s support or not.
- All the CVEs assigned by Securin and its vulnerability disclosures can be found in the Securin Zero Days List. Only the advisories present in the security advisory will be considered as official documents.
Securin is always open to feedback and suggestions. If you would like to contact us, please feel free to email at firstname.lastname@example.org