Vulnerabilities on computer related products are discovered as a common result of security tests and research. We believe that the knowledge of these flaws leads to a shared responsibility within the IT Security company which discovered the vulnerability and the related vendor, which must work together to address the problem and supply the user community with an adequate response.
As a network and application security consulting firm, we are constantly researching new methods to understand and exploit computer products anticipating new threats and developing countermeasures to prevent those for our customers. This policy states how Conviso Application Security S/A will minimize risks to our clients and to the market and contribute to the security community through a Responsible Disclosure fashion.
When a vulnerability is discovered, Conviso Code Fighters will prepare the Security Advisory which will describe the vulnerability, define who is the related vendor and which versions of the component are vulnerable, potential ways that the vulnerability can be exploited, proposed risk reduction countermeasures and the risk to the user community.
This document will be prepared in a draft mode and shared with the vendor. A Common Vulnerabilities and Exposures (CVE) number will be required from MITRE [1] in order to prepare the publishing process. The public availability on the publishing process will proceed according to the timeline defined in this policy.
After establishing the communication channel, the impacted vendor will be notified and a draft of the advisory will be provided. The vendor will be notified using the publicly available contact name or email address available on the related public website.
We understand that as soon communication is established with the vendor, a collaboration process must begin to achieve fully understand of the vulnerability and address a corrective action. The day that the vulnerability is communicated to the vendor will be considered “Day 0” of the disclosure timeline and we expect a response by email within 10 days that acknowledges receipt of our notification and identifies a plan to address the vulnerability.
Conviso Application Security S/A may communicate their customers immediately about any vulnerability identified and may disclose the vulnerability to other Computer Security Response teams such as CERT or CERT-BR if the impact justifies this action.
Conviso Application Security S/A will prepare the final version of the Security Advisory that discloses the same information provided originally to the vendor (unless facts have changed) as well as the available work-arounds or patches that have been made available by the vendor or Conviso Code Fighters. The advisory release will be written by Conviso Code Fighters and will be approved by the Research & Development Manager and the Operations Manager.
Contact
| Task | Timeline | Comments |
|---|---|---|
| Security Advisory Draft development | N/A | N/A |
| Vendor notified (first attempt) | Day 0 | Vendor will be notified immediately the conclusion of Security Advisory draft version. |
| Vendor notified (second attempt) | Day 10 | A second contact attempt will be made 10 days after the initial one if no response is received from the vendor. |
| Vendor notified (third attempt) | Day 20 | A third contact attempt will be made 20 days after the initial one if no response is received from the vendor. |
| Vendor notified (final attempt) | Day 30 | A final contact attempt will be made 30 days after the initial one if no response is received from the vendor. |
Coordinating
| Task | Timeline | Comments |
|---|---|---|
| Vendor patch development | After first effective contact or Day 30 | A timeline of 60 days will be provided to vendor’s effort to provide a patch and/or workaround to address the related vulnerability. |
| Publish the Security Advisory | After a patch is released or Day 90 |
All vulnerabilities will be disclosed to the public 90 days after the initial report or a patch has been made available. Extenuating circumstances, such as active exploitation, threats of an especially serious nature, or situations that require changes to an established standard may result in earlier or later disclosure.