Responsible Disclosure Policy
True to our security researcher roots, Outpost24 takes a serious view of responsible disclosure. We understand the importance of security, privacy and the value of the security research community. Our goal is to help our customers and the public make the best-informed decisions to secure their systems, while maintaining a balance with the software vendor’s need for time to respond effectively.
When our security researchers identify a vulnerability in another vendor’s product, we will:
1. Confidentially contact the vendor to inform them of the vulnerability
We will contact the vendor through security contacts published on their website. If such facilities are not available, we will contact the vendor by email or telephone striving to make positive contact. After three attempts or three weeks with no response, we will escalate contact attempts to marketing or public relations contacts. This contact should allow the vendor an opportunity to diagnose and offer a fully tested update, workaround or other corrective measure before either party disclosure details about the vulnerability or exploit information to the public. Our objective is to confidentially share information about the vulnerability with the vendor.
2. Allow the vendor time to resolve the vulnerability
After initial contact, Outpost24 will allow the vendor a 90-day resolution period to release an update or corrective measure. After that time, vulnerability information will be disclosed to the public regardless of the existence or availability of patches or workarounds from the vendor. Like Google Project Zero and other Coordinated Vulnerability Disclosure (CVD) principles, Outpost24 will allow additional grace periods if the due date falls on a weekend or public holiday in Sweden, or if the vendor expects to release a patch within 14 days following the due date. Public disclosure of the unresolved vulnerability will only proceed if the resolution period is exceeded. Our objective is to be cooperative, communicative, and diligent about urgency for resolution.
3. Disclose the vulnerability with attribution to the security researchers
At the end of the resolution period, Outpost24 will publicly disclose information including a technical description of the vulnerability and how it was discovered, through a blog post or suitable outlet visible to the security research community. Disclosures made by Outpost24 will include credit to the staff researcher(s) who report the vulnerability. If the vendor releases a patch or workaround before the end of the resolution period, Outpost24 will immediately disclose information about the vulnerability. Assignment of CVEs are an industry standard for uniquely identifying vulnerabilities and should be included at the first public mention of the vulnerability. For disclosure that exceeds the resolution period, Outpost24 will ensure that a CVE has been pre-assigned. At our discretion we may choose a limited release of proof-of-concept exploit code to the security research community. Our objective is to provide information to the security research team and the public about the vulnerability and the responsible researcher.