Vulnerability Disclosure Policy
Pen Test Partners recognises the need to protect end user privacy and security.
We strongly believe in, and support, a coordinated and responsible approach to vulnerability disclosure. To this end, Pen Test Partners has developed this disclosure policy.
The policy
We adhere to a 90 day from initial contact disclosure deadline. This can be expedited if the vendor remediates the vulnerability sooner.
- Pen Test Partners will make reasonable efforts to establish confidential communications with the vendor. This may involve using the vendor’s published ‘contact us’ email address, Twitter or telephone if no security contact is publicly listed.
- Once contact with has been made with the vendor’s security team, or designated contact, Pen Test Partners will communicate full details of the vulnerability, along with a link to this policy and the current planned disclosure date.
- No sensitive vulnerability details will be sent until an agreed communications channel has been established, for example a secure channel, if the vendor has this capability.
- We will provide reasonable assistance to the vendor in understanding the significance of the discovered vulnerability.
- This policy only applies to research conducted and published by Pen Test Partners. We cannot be held responsible for any personal research and disclosure conducted by employees in their own name.
Disclosure timeline
- If the vendor does not respond to our initial contact within 7 days, the original private disclosure is sent again along with a link to this policy and the current planned disclosure date.
- If after 30 days we have not received a response from the vendor to our initial contact attempt, a further contact attempt will be made using any and all contact options available. Pen Test Partners may, at our discretion, approach media sources with the hope they can obtain an initial connection. Note we may choose to do this sooner should the risk to public be considered high enough that they need to be warned.
- If after a further 30 days, making 60 days from initial disclosure, we have not received a response from the vendor to our initial contact attempt a final contact will be made advising of full disclosure in 30 days time.
- After a further 30 days, making 90 days from initial disclosure, Pen Test Partners will publish the vulnerability.
- If a response or acknowledgement has been received, we will provide a link to this policy and discuss a disclosure timeline with the vendor, depending on the criticality of the issue. However, if the vendor’s proposed timeline is unacceptably long without very good reason, in line with common disclosure policies, Pen Test Partners will write and publish an advisory detailing the vulnerability. This will happen 90 days after the initial contact has been made with the vendor, irrespective of whether remediation has been implemented (unless a longer timeline has been agreed). This advisory will be made available to the general public.
- Pen Test Partners reserve the right to insist on a significantly shorter remediation time should we feel it is required for the protection of public safety and/or privacy, although in this case we will not publish the findings until it has either been remediated or 90 days has elapsed, whichever is sooner.
- Furthermore, we may notify CERT of the vulnerability and may also request or obtain CVEs for the vulnerabilities discovered.
NOTE: At our discretion, where there is significant impact, we may also notify relevant legal or regulatory bodies where we can see there is a breach of law or other industry regulations.
Disclosure timeline: