VULNERABILITY DISCLOSURE PROCESS
-
Securifera will make every attempt to contact the product vendor using whatever communication channels are discoverable for the vendor. (web form, email,social media, phone number)
-
Securifera will provide all relevant vulnerability details to the vendor to assist in discovery and mitigation.
-
Securifera will maintain confidentiality regarding vulnerability information throughout the duration of the responsible disclosure process within the agreed upon disclosure window, typically 90 days.
-
Securifera will assign a CVE number to the vulnerability if the vendor is not a MITRE CNA or does not have an agreed upon timeline for issuance of a CVE by a MITRE CNA.
-
Securifera will release a public advisory on the Securifera website or social media after the completion of the responsible disclosure process with accompanying vulnerability details.
-
Securifera will perform public disclosure at an arbitrary date of its choosing if the vendor is unreachable by Securifera using the above mentioned communication methods or if the vendor becomes unresponsive for more than 30 days.
VULNERABILITY DISCLOSURE SCOPE
All vulnerabilities discovered in third-party software while performing vulnerability research, penetration testing, or red team assessments that do not fall within the scope of an existing vendor CNA.