cirosec follows this responsible disclosure policy when dealing with zero-day vulnerabilities found during research or customer projects. The goal is to balance the need of giving the vendor or open-source project (referred to as “entity” below) enough time to develop and distribute a fix for the vulnerability with the need of the public to know about the security vulnerability. The policy is in accordance with industry-standard responsible disclosure practices.
If the vulnerability was discovered as part of a customer project, the plan of action is coordinated together with the customer. We explicitly recommend, however, to follow the same process as if the vulnerability was discovered during internal cirosec research as described in the following.
cirosec Security Advisory
Having found a publicly unknown vulnerability, cirosec will document it in the form of a cirosec security advisory (CSA). The advisory may include the following:
- cirosec security advisory identifier (SA-YEAR-NUMBER: SA-2023-001) and CVE, if applicable
- Detailed technical description of the vulnerability and its consequences
- Detailed instructions on how to reproduce the vulnerability and proof-of-concept code, if applicable
- Recommendation on how to fix the vulnerability, if applicable
- The identified vulnerable version
- The disclosure deadline policy
Reporting of a vulnerability
If the entity works with a third-party bug-bounty partner, cirosec will use this channel to report the vulnerability. If this is not the case, cirosec will report the vulnerability directly to the entity that is responsible for developing the fix. First, the publicly documented communication channel for security issues is used. If no official security contact can be identified or no response is received within 7 days, more communication attempts by email or phone to the most appropriate contact of the entity are made where possible. As a last resort, we may try to get in contact with the entity over social networks, such as X (formerly known as Twitter).
The 90 + 30 days disclosure deadline policy
cirosec follows a 90 + 30 days disclosure deadline policy, which means that after cirosec has notified an entity about a security vulnerability, the entity has 90 days to make a fix available to users. If no response from the entity is received within 7 days, more communication attempts are made. If we are not able to get any response from the entity within 21 days after our first contact attempt, we may publish technical details of the vulnerability.
In case the entity provides a patch within 90 days, cirosec will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.
- If an entity fixes a security issue 47 days after cirosec has notified the entity about the vulnerability, details will be made public on day 77.
- If an entity fixes a security issue 83 days after cirosec has notified the entity about the vulnerability, details will be made public on day 113.
- If an entity has not fixed an issue within the initial 90 days, cirosec will make the details of the vulnerability public at the end of the 90-day period.
Therefore, each cirosec security advisory will contain the following statement:
This vulnerability is subject to a 90 + 30 days disclosure deadline starting today (YYYY-MM-DD). If a fix for this issue is made available to users before the end of the 90-day deadline, cirosec will publish a vulnerability report 30 days after the fix was made available. Otherwise, this vulnerability report will be published at the end of the deadline (YYYY-MM-DD).
If the fix is expected to be published within 14 days of the deadline expiring, then cirosec may offer an extension to align with patch management cycles of the entity. There will be no further prolongation beyond those 14 days.
If the entity indicates that a fix will not be issued, for example, because the entity does not assess the finding as a security vulnerability or the entity states that it cannot be fixed, cirosec may publish technical details immediately.
cirosec will decide if and how detailed the vulnerability is disclosed based on each individual case. The same applies to publishing proof-of-concept or exploit code.
Technical vulnerability details are published on the cirosec website.
Version 1.0 - September 29, 2023