O – Day
Disclosure to Vendor and await acknowledgment
0 -7 Days
If acknowledgement not received from the vendor, second attemppt of contact
0 – 10 Days
If acknowledgment is received
- Convey the commencement of 90 day’s public disclosure window.
- Provide technical details if requested by vendor
Else proceed with public disclosure of the vulnerability
Inform “CERT” or other Disclosure Coordinators about the findings ( Depending on case, we decide which coordinator to inform)
Before 90 Days
Vendor fixes & tests the vulnerabilities. Next vendor announces the path for the vulnerability and informs Payatu.
After patching or 90 Day’s
We make a public disclosure from our side after 90 days of notification or after the release of a patch by the vendor, whichever happens early.
We disclose our findings with academic details for the benefit of the larger community through
– Blog
– Technical Paper at Security Conferences (anywhere across the globe)
– Include in our training courses or study material
Confidentiality & Secure Communication
Regarding communication on Disclosure with vendor, the framework sets the following procedure:
- Throughout the nondisclosure period we expect regular communication between our team and vendor and this kept confidential
- Only the Finder of the vulnerability and Payatu Appointed authority for the Disclosure Response Program are in communication loop.
- Communication with Vendor and progress on stages of the Disclosure is documented and tracked at Payatu with its internal systems.
- We prefer to use Cryptographically Secure communication channels to communicate with Vendors if supported and provided by them.
- As a Policy we Do keep “CERP” or other “Industry Trusted Disclosure Coordinators(s)” informed about our findings. This is a right of the Finder and doesn’t requires any kind of persmission from the affected Vendor.
