Secunia Research strongly believes that a coordinated disclosure is the best approach to properly and efficiently address a vulnerability and thus protect a vendor's customers. However, software vendors too often deliberately fail to respond to vulnerability reports, don't respect the valuable work made by the researcher, or simply take too long to develop fixes thus leaving their customers exposed for an irresponsibly long period of time.
Based on years of experience with vendors of various sizes having various approaches and attitudes towards fixing vulnerabilities, Secunia Research has decided upon the following disclosure policy, which we find to be a reasonable "match" between a fair amount of engineering and quality assurance efforts and the need of providing a timely fix to vulnerabilities:
- If no security contact is known for the vendor, an e-mail requesting the security contact e-mail address may initially be sent to certain public e-mail addresses associated with the vendor. It is Secunia policy to never submit vulnerability information via online forms. However, these may be used to request security contact information.
- When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a preset disclosure date (usually set to a Wednesday two weeks later).
- If the vendor does not respond to the initial mail within a week, it is resent.
- If no response has been received at the day of the preset disclosure date, the vulnerability information is published immediately without further coordination attempts.
- If the vendor responds to either the initial mail or the resent mail, a new disclosure date may be set in case the vendor cannot meet the preset date.
- Secunia expects vendors to provide continuous status updates on the progress. If none are provided by default, the vendor will be contacted about once a month with a status update request.
- Should a vendor not respond to a status update request, it is resent a week later.
- Should the vendor not respond to two consecutive status update requests, a mail is sent to the vendor advising that the vulnerability information will be disclosed a week later if no response is received. Has no response been received by this date, the vulnerability information is immediately published without further coordination attempts.
- Eventually, the vulnerability information will be published by Secunia Research when:
a) The preset/agreed disclosure date is reached.
b) The vendor issues a fix and/or security advisory.
c) Information about the same vulnerability is published by a third party.
d) Either a half or full year has passed from the initial contact date (see #10 and #11 for more information).
- By default, vulnerabilities are coordinated for no more than 6 months. About one month prior to the ½ year mark, the vendor is informed about a fixed disclosure date set by Secunia Research at the ½ year mark. At that time, a Secunia advisory is published regardless of patch availability.
- A vulnerability may in certain cases be coordinated for up to one full year if the vendor is communicating a clear intention to address the vulnerability and can commit to a date within that period and the vulnerability is considered to be complex to address.