RACK911 Labs believes in responsible disclosure.
We also believe in security vulnerabilities being fixed in a timely manner which is why our standard disclosure policy is to allow all vendors 90 days to take corrective action before we issue a public security advisory.
Initial Contact
Upon discovery of a possible security vulnerability, all reasonable efforts will be made to contact the vendor. Email will always be our preferred method of communication, however, should we fail to establish an open channel we may resort to social media to obtain the necessary contacts.
Reporting Vulnerabilities
Once we have established contact with the vendor, all information regarding any possible security vulnerabilities will be shared including step-by-step proof of concepts and any other pertinent details.
All communication between the vendor and ourselves will be held with the highest confidentiality. At no point during the initial contact will we share any information or proof of concepts with a third party.
Working Together
RACK911 Labs is committed to working with the vendor to address any suspected security vulnerabilities. Communication between the vendor and ourselves must remain open and ongoing regarding the following:
– Acknowledgement of the initial report.
– Confirmation that a security vulnerability does indeed exist.
– When the security vulnerability will be corrected.
– When the vendor intends to notify their clients and/or partners.
– Ensure that RACK911 Labs has been properly credited.
Public Disclosure
As soon as the security vulnerability has been resolved by the vendor, RACK911 Labs will issue a security advisory to inform our clients and partners.
The details of the security advisory will include all relevant information such as versions affected / resolved, a brief description of how the security vulnerability works and a communication timeline between vendor and RACK911 Labs.
Should the vendor fail to uphold an acceptable level of communication and/or fail to resolve the suspected security vulnerability within 90 days, RACK911 Labs may issue a public security advisory to warn our clients and partners so they may take any necessary steps to protect themselves.