We believe in responsibly disclosing vulnerabilities. When we discover a vulnerability in an external vendor's products, they will be given the opportunity to address the vulnerability before we share with the public. Our coordinated disclosure policy strives to protect our partners and larger security community by giving the vendor time to provide a fix, while also notifying the public as soon as possible.
- When we discover a vulnerability in another vendor's product, we will Immediately notify the vendor via contact information listed on the vendor website. Vulnerability details will be shared with the public as soon as the vendor releases a fix or after 90 days from date of disclosure to the vendor.
- Huntress will work with the vendor to publicly disclose the vulnerability on an agreed upon date to allow the vendor to publish their own advisory in conjunction with our advisory from the perspective of our security experts. We will provide vendors with a draft of our advisory before publishing.
- If Huntress observes a zero-day vulnerability under active exploitation, urgent action is required. We will publicly disclose applicable mitigations immediately as available. We will disclose the vulnerability to the vendor immediately and the public within 7 days. We do this to close the window of opportunity for attackers and not give them the chance to compromise more devices or accounts. It may be a short time period for the vendors to respond, but it does allow for mitigation guidance to be published in the interim.
- If the vendor is not a CVE Numbering Authority (CNA), Huntress will assign the CVE ID and share with the vendor.
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. We expect to be held to the same standard.
Comments
0 comments
Article is closed for comments.