Introduction
This policy outlines how RCE Security handles responsible vulnerability disclosure to product vendors, and the general public. RCE Security wil responsibly and promptly notify the appropriate product vendor of a security vulnerability with their product(s) or service(s).
Summary
The advisory will be immediately published either when:
- TheĀ initial deadline ends (10 work days) without any vendor response or acknowledgement of the vulnerability.
- The final deadline ends (45 days).
- The vendor releases an official update.
- A third party publishes an advisory on the same issue.
- The vendor hasn’t responded to multiple previous coordination attempts.
Disclosure Process
At the time of discovery of the security vulnerability, MITRE or the responsible CNA will be contacted to obtain an official CVE identifier. This is supposed to facilitate the overall communication process and help publicly identify it.
The first contact attempt will be through any appropriate contacts or formal mechanisms listed on the vendor website, or alternatively through any of the common mail addresses such as security@, support@ or info@ with the pertinent information about the identified vulnerability.
If a vendor fails to acknowledge the initial notification within 5 business days, RCE Security will attempt a second formal attempt to contact a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, RCE Security may issue a public advisory disclosing its findings ten business days after the initial contact.
If a vendor response is received within the timeframe outlined above, RCE Security allows the vendor 45 days to address the vulnerability with a security patch or other corrective measure as appropriate. At the end of the deadline, if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, RCE Security will publish a limited advisory including mitigation to enable the defensive community to protect the user. We believe that by taking these actions, the vendor will understand the responsibility they have to their customers and will react appropriately. Extensions to the 45-day disclosure timeline are up to the sole discretion of RCE Security and will only be granted when the vendor provides a detailed explanation.
If a product vendor is unable to, or chooses not to, patch a particular security flaw, RCE Security will offer to work with that vendor to publicly disclose the flaw with potential workarounds. In no case will a vulnerability be “kept quiet” because a product vendor does not wish to address it. To maintain transparency in our process, we intend to publish a summary of the communication we’ve had with the vendor regarding the issue as part of the official security advisory. We hope that this level of insight into our process allows the community to better understand some of the difficulties vendors have when remediating security vulnerabilities. RCE Security will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw.
RCE Security will formally and publicly release its security advisories on our website as well as in our dedicated GitHub repository. Only advisories listed on the website should be considered official RCE Security advisories.