O –  Day

Disclosure to Vendor and await acknowledgment

0 -7  Days

If acknowledgement not received from the vendor, second attemppt of contact

0 – 10 Days

If acknowledgment is received

  • Convey the commencement of 90 day’s public disclosure window.
  • Provide technical details if requested by vendor

Else proceed with public disclosure of the vulnerability

Inform “CERT” or other Disclosure Coordinators about the findings ( Depending on case, we decide which coordinator to inform)

Before 90 Days

 Vendor fixes & tests the vulnerabilities. Next vendor announces the path for the vulnerability and informs Payatu.

After patching or 90 Day’s

We make a public disclosure from our side after 90 days of notification or after the release of a patch by the vendor, whichever happens early.

We disclose our findings with academic details for the benefit of the larger community through
– Blog
– Technical Paper at Security Conferences (anywhere across the globe)
– Include in our training courses or study material

Confidentiality & Secure Communication

Regarding communication on Disclosure with vendor, the framework sets the following procedure:

  •  Throughout the nondisclosure period we expect regular communication between our team and vendor and this kept confidential
  • Only the Finder of the vulnerability and Payatu Appointed authority for the Disclosure Response Program are in communication loop.
  • Communication with Vendor and progress on stages of the Disclosure is documented and tracked at Payatu with its internal systems.
  • We prefer to use Cryptographically Secure communication channels to communicate with Vendors if supported and provided by them. 
  • As a Policy we Do keep “CERP” or other “Industry Trusted Disclosure Coordinators(s)” informed about our findings. This is a right of the Finder and doesn’t requires any kind of persmission from the affected Vendor.