Secunia Logo  
 Vulnerability InformationVulnerability ScanningCommunityBlogCorporate InformationOnline ShopCustomer Login  
 Secunia AdvisoriesSecunia ResearchBinary Analysis  
Home > Vulnerability Information > Secunia Research > Disclosure Policy
Secunia Research
Vulnerabilities
The Team
Disclosure Policy
Security Community


Secunia PSI WorldMap 		 
Disclosure Policy
Secunia Research strongly believes that a coordinated disclosure is the best approach to properly and efficiently address a vulnerability and thus protect a vendor's customers. However, software vendors too often deliberately fail to respond to vulnerability reports, don't respect the valuable work made by the researcher, or simply take too long to develop fixes thus leaving their customers exposed for an irresponsibly long period of time.

Based on years of experience with vendors of various sizes having various approaches and attitudes towards fixing vulnerabilities, Secunia Research has decided upon the following disclosure policy, which we find to be a reasonable "match" between a fair amount of engineering and quality assurance efforts and the need of providing a timely fix to vulnerabilities:

    1) If no security contact is known for the vendor, an e-mail requesting the security contact e-mail address may initially be sent to certain public e-mail addresses associated with the vendor. It is Secunia policy to never submit vulnerability information via online forms. However, these may be used to request security contact information.

    2) When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a preset disclosure date (usually set to a Wednesday two week later).

    3) If the vendor does not respond to the initial mail within a week, it is resent.

    4) If no response has been received at the day of the preset disclosure date, the vulnerability information is published immediately without further coordination attempts.

    5) If the vendor responds to either the initial mail or the resent mail, a new disclosure date may be set in case the vendor cannot meet the preset date.

    5) Secunia expects to receive continuous status updates from the vendor. If none are provided by default, the vendor will be contacted about once a month with a status update request.

    6) Should a vendor not respond to a status update request, it is resent a week later.

    7) Should the vendor not respond to two consecutive status update requests, a mail is sent to the vendor advising that the vulnerability information will be disclosed a week later if no response is received. Has no response been received by this date, the vulnerability information is immediately published without further coordination attempts.

    8) Eventually, the vulnerability information will be published by Secunia Research when:
      a) The preset/agreed disclosure date is reached.
      b) The vendor issues a fix and/or security advisory.
      c) Information about the same vulnerability is published by a third party.
      d) A year from the initial contact date has passed (see #9 for more information).

    9) By default, Secunia will not coordinate a vulnerability disclosure for more than one year. About three months before the one year mark, a vendor will be informed about a fixed disclosure date set by Secunia Research at the one year mark where the details will be published regardless of patch availability.


Contact | Terms & Conditions and Copyright | Report Vulnerability | Press | Jobs (open positions) | About Secunia
Copyright Secunia 2002-2009