Professional Documents
Culture Documents
1. Introduction
Vulnerabilities on computer related products are discovered as a common result of security tests and
research. We believe that the knowledge of these flaws leads to a shared responsibility within the IT
Security company which discovered the vulnerability and the related vendor, which must work together
to address the problem and supply the user community with an adequate response.
As a network and application security consulting firm, we are constantly researching new methods to
understand and exploit computer products anticipating new threats and developing countermeasures
to prevent those for our customers. This policy states how Conviso IT Security will minimize risks to
our clients and to the market and contribute to the security community through a Responsible
Disclosure fashion.
2. Discovery Process
When a vulnerability is discovered, Conviso Security Labs will prepare the Security Advisory which will
describe the vulnerability, define who is the related vendor and which versions of the component are
vulnerable, potential ways that the vulnerability can be exploited, proposed risk reduction
countermeasures and the risk to the user community.
This document will be prepared in a draft mode, shared with the vendor and a Common Vulnerabilities
and Exposures (CVE) number required to MITRE1 in order to prepare the publishing process. The
public availability on the publishing process will proceed according to the timeline defined in this policy.
We understand that as soon communication is established with the vendor, a collaboration process
must begin to achieve fully understand of the vulnerability and address a corrective action. The day
that the vulnerability is communicated to the vendor will be considered “Day 0” of the disclosure
timeline and we expect a response by email within 7 days that acknowledges receipt of our notification
and identifies a plan to address the vulnerability.
1 http://cve.mitre.org/
Vendor notified (second A second contact attempt will be made 10 days after the
Day 12
attempt) initial one if no response is received from the vendor.
Vendor notified (third A third contact attempt will be made 20 days after the
Day 22
attempt) initial one if no response is received from the vendor.
Vendor notified (final A third contact attempt will be made 30 days after the
Day 32
attempt) initial one if no response is received from the vendor.
6. Timeline
All vulnerabilities will be disclosed to the public 90 days after the initial report, regardless of the
existence or availability of patches or workarounds from affected vendors. Extenuating circumstances,
such as active exploitation, threats of an especially serious nature, or situations that require changes to
an established standard may result in earlier or later disclosure.
In a common fashion we intend to follow a timeline composed by 60 days from the vulnerability
identification and Security Advisory public availability which we understand that is a acceptable
deadline for a large organization to meet.