Sign in Subscribe

Content Policy

This blog does not reflect the skill sets, opinions, understanding, methodology, or security practices of any past, present, or future employer.

The content shared here is created outside of any professional capacity on my own time & assets. I conduct and share everything posted here independently of any entity or organization. Nothing posted here represents or is endorsed by any organization. No one speaks for me or through me.

Any personal views expressed in this blog stand separate from my professional associations, & I maintain full responsibility for all content published on this platform.

Everything I share is for educational purposes. I strictly follow industry-standard responsible disclosure practices outlined below before publishing vulnerability details. This means I notify affected parties and give them a reasonable time to address issues before going public. I strive to keep everything legal and aboveboard. That said, I'm not responsible if someone takes my code or research and misuses it. All tools and code are provided as-is, with no warranties.

This disclaimer applies to all content across this blog and related platforms.

I am committed to ethical vulnerability research and responsible disclosure. My primary objective is to enhance security by identifying and reporting vulnerabilities in a manner that prioritizes the safety of end-users. My blog serves as an educational platform aimed at improving awareness and security practices, rather than harming brands or reputations.

Disclosure Process

  1. Initial Contact & Communication Attempts:
    • I will make at least five attempts to establish confidential and detailed communication with the vendor. This may include reaching out via official email channels, social media (LinkedIn, Twitter), company phone lines, and direct contacts.
    • Multiple communication methods (WeChat, LinkedIn, Email, Telegram, WhatsApp, and Telephone) will be provided for the vendor’s convenience.
  2. Disclosure Timeline:
    • A 90-day disclosure deadline is generally followed, starting from the initial contact.
    • This period may be shortened if the vendor remediates the vulnerability sooner.
    • If the vendor requires additional time to patch the vulnerability, an extension may be granted based on reasonable justification.
  3. Vendor Collaboration:
    • Upon successful contact, I will share details of the vulnerability and express my willingness to collaborate on remediation and retesting.
    • Secure communication channels will be established to facilitate information sharing.
    • I will assist in ensuring the vendor understands the significance of the vulnerability.
    • After a patch is released, I may conduct independent verification to confirm its effectiveness.

Ethical Considerations & Judgment

While I strive to follow a structured process, I reserve the right to exercise my better judgment in cases where vendor negligence poses an ongoing risk to users.

  • Non-Responsive Vendors: If a vendor remains unresponsive after multiple contact attempts, I may proceed with public disclosure to protect end-users.
  • Critical Risks: In cases where a vulnerability poses an imminent threat to public safety or security, I may adjust the disclosure timeline accordingly.
  • Ethical Dilemma Considerations: Each disclosure is weighed against the potential impact on users, the likelihood of exploitation by malicious actors, and the vendor's ability to remediate.

Final Decision on Disclosure

The ultimate decision to disclose or withhold information publicly is made after careful evaluation of:

  • The vendor’s responsiveness and willingness to remediate.
  • The risk of exploitation by bad actors.
  • The broader security implications for affected users.

The goal remains the same: to make the internet a safer place by encouraging vendors to improve their security posture while minimizing risk to the public.

Contact & Concerns

If you have any issues with my content or views expressed in my blog, it's not that deep & I almost certainly didn't try to upset you. I'm happy to straighten things out & make things right. You can reach me on Signal @boschko.01 or Twitter @olivier_boschko.