0 – Day
Disclosure to Vendor and await acknowledgement
0 – 7 Days
If acknowledgement is not received from the Vendor, a second attempt to establish contact will be made.
0 – 10 Days
If acknowledgement is received
- Convey the commencement of 90 days public disclosure window.
- Provide technical details if requested by Vendor
Else proceed with public disclosure of the vulnerability
Inform “CERT” or other Disclosure Coordinators about the findings
(Depending on case, we decide which coordinator to inform)
Before 90 Days
The Vendor fixes and tests the vulnerabilities. The Vendor then announces the patch for the vulnerability and informs Payatu.
After patching or 90 Days
We make a public disclosure from our side after 90 days of notification or after the release of a patch by the Vendor, whichever happens first.
We disclose our findings with technical details for the benefit of the larger community through:
- Blogs
- Technical papers at security conferences (anywhere across the globe)
- Inclusion in our training courses or study material
Confidentiality & Secure Communication
Regarding communication on Disclosure with Vendor, the framework sets the following procedure:
- Throughout the nondisclosure period, we expect regular communication between our team and the Vendor, and this is kept confidential.
- Only the Finder of the vulnerability and Payatu-appointed authority for the Disclosure Response Program are in the communication loop.
- Communication with the Vendor and progress through the stages of the disclosure are documented and tracked at Payatu using its internal systems.
- We prefer to use cryptographically secure communication channels to communicate with Vendors, if supported and provided by them.
- As a policy, we do keep “CERT” or other “Industry Trusted Disclosure Coordinators” informed about our findings. This is the right of the Finder and doesn’t require any kind of permission from the affected Vendor.
