This policy outlines the responsible vulnerability disclosure process Sense of Security undertakes to product vendors, security vendors and the general public.
Sense of Security will responsibly and promptly notify the appropriate vendor of a security flaw within their product(s) or service(s).
The contact process is as follows:
The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor's web site. If a vendor fails to respond within five (5) business days, a second notification will be sent following the same route. If no response from the vendor is received within an additional three (3) days, contact may be attempted via an intermediary with the vendor. If contact regarding the issue remains unsuccessful and Sense of Security has exhausted all reasonable means to contact the vendor, Sense of Security may issue a public advisory disclosing vulnerability details after thirty (30) days from the initial contact attempt.
If a vendor responds and acknowledges the issue, Sense of Security will provide the vendor with forty five (45) days to provide a patch or workaround to affected customers. Sense of Security will attempt to work with the vendor to assist in developing a fix. It is our goal to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond appropriately. The final determination of a publication date will be solely at Sense of Security's discretion based on the best interests of the community.
If a vendor chooses not to address a particular issue, Sense of Security will attempt to provide an effective workaround for the affected product(s) or service(s). However, no vulnerabilities will remain undisclosed due to a vendor not wishing to address the issue.
Sense of Security will formally and publicly release its security advisories at http://www.senseofsecurity.com.au/research/it-security-advisories and various security mailing lists.