Disclosure Policy

Services

IoT Security Testing Red Team Assessment Product Security AI/ML Security Audit Web Security Testing

Mobile Security Testing DevSecOps Consulting Code Review Cloud Security Critical Infrastructure

Products

EXPLIoT

EXPLIoT is framework for IoT security testing
and exploitation.

CloudFuzz

CloudFuzz is platform that lets you code for bugs
by running your software with millions of test cases.

Who we are

About Us Payatu Bandits

Resources

Blogs MasterClass Series Case Studies E-Books New Advisory Media Checklist

Tools

securecode.wiki New

Pune Location Europe Location Australia Location

Top Openings

Security consultant IT sales Pre-Sales Executive Software Developer Software Tester

ALL OPENINGS

Get all of it

Be a Bandit

Payatu Disclosure Policy

0 day	Disclosure to vendor and await acknowledgement
0 - 7 days	If acknowledgement not received from the vendor, second attempt of contact
0 - 10 days	If acknowledgement is received ● Convey the commencement of 90 days public disclosure window. ● Provide technical details if requested by vendor else proceed with public disclosure of the vulnerability Inform "CERT" or other Disclosure Coordinators about the findings (depending on case, we decide which coordinator to inform)
Before 90 days	Vendor fixes & tests the vulnerabilities. Next vendor announces patch for the vulnerability and informs Payatu
After patching or 90 days	We make a public disclosure form our side after 90 days of notification or After release of a patch by vendor, whichever happens early. We disclose our findings with academic details for the benefit of larger community through ● Blog (blog link) ● Technical Paper at Security Conferences (any where across the globe) ● Include in our training courses or study material

Confidentiality & Secure Communication

Regarding communication on Disclosure with vendor, the framework sets the following procedure:

Confidentiality & Secure Communication
Regarding communication on Disclosure with vendor, the framework sets the following procedure:

   ● Throughout the non disclosure period we expect regular communication between our team and vendor and this is kept confidential.
   ● Only the Finder of the vulnerability and Payatu Appointed authority for Disclosure Response Program are in communication loop.
   ● Communication with Vendor and progress on states of the Disclosure is documented and tracked at Payatu with its internal systems.
   ● We prefer to use Cryptographically Secure communication channels to communicate with Vendors if supported and provided by them.
   ● As a Policy we DO keep "CERT" or other “Industry Trusted Disclosure Coordinator(s)” informed about our findings. This is a right of the Finder and doesn't requires any kind of
      permission from the affected Vendor.