If Security Innovation researchers reach out to you or your team, know that our primary goal is to improve the security stance of your product and your users. When we reach out to you, we are excited to help you and provide our time and expertise in security. We are outlining this policy such that you understand our aims, processes, and motivations.
Novel vulnerability discovery research helps educate and advance the security community, improves the security of end-users, and allows your team to demonstrate your commitment to security. We believe that it is our social and professional responsibility to assist in creating a safer world.
The purpose of this document is to outline the procedures that Security Innovation researchers follow for the disclosure of vulnerabilities identified during novel vulnerability discovery research. This policy aims to provide a responsible and safe method to disclose and coordinate on fixing security issues and ensure that the appropriate fixes for the disclosed vulnerabilities are released in a timely manner.
This policy is specifically for use during independent security research and does not apply to security assessments performed on behalf of our clients.
Vulnerability Disclosure Procedure
Vulnerability discovery research often occurs in distinct phases. In the first phase, a standard research methodology is used to systematically identify vulnerabilities. In the second phase, any identified vulnerabilities are disclosed to parties determined to be in the best position to fix the security issues. Finally, in the third phase, the research is shared more broadly with the security community as a whole.
1. Discovery Phase
During the first phase, researchers at Security Innovation will identify an acceptable information system, such as an application, device, or protocol. The researcher will gather information to gain a deeper understanding of the system.
The researcher then performs comprehensive testing of the system using Security Innovation’s proprietary collection of security testing tools, third-party industry-standard tools, and manual techniques. Due to the nature of vulnerability discovery research, the particular techniques used may vary wildly from simple source code review to elaborate and novel fuzzing techniques, to infrastructure and environment review. All the vulnerabilities are then validated for accuracy and impact.
The researcher will produce a detailed report of all the vulnerabilities uncovered during the research at this stage. The typical vulnerability research final report can contain:
- An executive summary that provides:
- Depth and breadth of test coverage
- Focus areas during the research
- Key risks and mitigations
- Impact and severity of the vulnerabilities uncovered
- Detailed description and steps to reproduce the vulnerability
- Remediation recommendations that can be used to fix the defect
- Proofs-of-Concept/Scripts created during the research
Every effort will be made to provide a complete report which contains all vulnerabilities identified by Security Innovation. However, if researchers have reason to believe that a discovered vulnerability is being actively exploited, an intermediate report may be provided covering the most urgent issues.
2. Private Disclosure Phase
Security Innovation researchers will make every effort to contact the parties responsible for the vulnerable product. This will be attempted in several ways:
- Preferred method listed in a product owner’s vulnerability disclosure policy
- Policy listed in a public vulnerability disclosure program (e.g. Bugcrowd, HackerOne)
- Emails to likely addresses (e.g. security@)
- Emails to product support (e.g. support@)
- Messages in support forums or source code platform (GitHub, GitLab, SourceForge, etc.)
- Reach out to secondary or related projects to attempt to identify a primary point of contact
No sensitive details are shared during initial communication with the parties until contact with the responsible individuals/teams are established. Once initial contact is successful, and a secure communication medium is established, Security Innovation will share the vulnerability research report describing the security vulnerabilities.
Security Innovation will then collaborate with the responsible party to assist in the remediation and establish targeted remediation and public disclosure timeline. If there are no extenuating circumstances, this timeline is typically the industry standard of 90 days from Security Innovation’s initial contact. This provides a balance between flexibility to the responsible party and ensuring the security of end-users. If extenuating circumstances exist, and the responsible party require a longer duration before a fix will be made readily available, Security Innovation will consider these circumstances to extend the timeline.
Security Innovation may also reach out to NIST or MITRE to reserve CVE numbers at this time, which will be shared with responsible parties for bug tracking and remediation during public disclosure, if applicable.
Disclosure Deadline Exceptions
Security Innovation will determine the impact, likelihood, and environmental factors of the vulnerabilities and may choose to publicly disclose them as well as the responsible party’s response if any of the following events occur:
- The responsible party does not respond to any contact attempts for more than 60 days.
- The responsible party stops responding for more than 30 days.
- The responsibility party states they will not fix or do not recognize the reported issues as security vulnerabilities.
Security Innovation may choose to immediately publicly disclose the issues under these circumstances:
- The vulnerabilities are being actively exploited.
- The vulnerabilities are leaked or made public by a third-party.
- The vulnerabilities can lead to an immediate risk to life or safety.
Each vulnerability discovered during the research could be different, and as such might require certain deviations to the documented process to ensure that we are always in line with our goal of improving the safety and security of end-users in the best possible time frame.
3. Public Disclosure Phase
After the private disclosure phase has ended, Security Innovation researchers will publicly share the vulnerabilities with the wider security community. This may include, but are not limited to:
- Release of details to the CVE Program
- Presentation of findings at security research conferences
- Discussion on security mailing lists
- Blog posts on the vulnerabilities
Sharing with the public helps educate and advance the security community, ensures end-users are aware of issues affecting them, and allows the responsible party to demonstrate their commitment to security.