At Payatu we take Security Research and Disclosures Seriously. As we consume and work with
many technologies, we often find security issues with them.
We consider Responsible Disclosure our Duty and work with Vendors through the process
standardized under the Payatu Disclosure Policy Framework with reference to ISO/IEC29147.
Time lined Procedure
This framework lays the following time lined procedure that we follow :
Disclosure to Vendor and await Acknowledgement
0 - 7 Days
If Acknowledgement not received by Vendor, Second Attempt of contact
0 - 10 Days
If Acknowledgement is received
● Convey the commencement of 90 days public disclosure window.
● Provide technical details if requested by Vendor
Else Proceed with Public Disclosure of Vulnerability
Inform “CERT” or other Disclosure Coordinators about the findings
(depending on case, we decide which Coordinator to inform)
Before 90 Days
Vendor fixes & tests the vulnerabilities. Next vendor announces patch for
the vulnerability and Informs Payatu
After Patching or 90 Days
We make a public disclosure form our side after 90 days of notification or
After release of a Patch by vendor, whichever happens early.
We disclose our findings with academic details for the benefit of larger
● Blog (blog link)
● Technical Paper at Security Conferences (any where across the
● Include in our training courses or study material
Confidentiality & Secure Communication
Regarding communication on Disclosure with vendor, the framework sets the following
● Throughout the non disclosure period we expect regular communication between our
team and vendor and this is kept confidential.
● Only the Finder of the vulnerability and Payatu Appointed authority for Disclosure
Response Program are in communication loop.
● Communication with Vendor and progress on states of the Disclosure is documented
and tracked at Payatu with its internal systems.
● We prefer to use Cryptographically Secure communication channels to communicate
with Vendors if supported and provided by them.
● As a Policy we DO keep "CERT" or other “Industry Trusted Disclosure
Coordinator(s)” informed about our findings. This is a right of the Finder and doesn't
requires any kind of permission from the affected Vendor.