Disclosure Policy
I am committed to ethical vulnerability research and responsible disclosure. My primary objective is to enhance security by identifying and reporting vulnerabilities in a manner that prioritizes the safety of end-users. My blog serves as an educational platform aimed at improving awareness and security practices, rather than harming brands or reputations.
Disclosure Process
- Initial Contact & Communication Attempts:
- I will make at least five attempts to establish confidential and detailed communication with the vendor. This may include reaching out via official email channels, social media (LinkedIn, Twitter), company phone lines, and direct contacts.
- Multiple communication methods (WeChat, LinkedIn, Email, Telegram, WhatsApp, and Telephone) will be provided for the vendor’s convenience.
- Disclosure Timeline:
- A 90-day disclosure deadline is generally followed, starting from the initial contact.
- This period may be shortened if the vendor remediates the vulnerability sooner.
- If the vendor requires additional time to patch the vulnerability, an extension may be granted based on reasonable justification.
- Vendor Collaboration:
- Upon successful contact, I will share details of the vulnerability and express my willingness to collaborate on remediation and retesting.
- Secure communication channels will be established to facilitate information sharing.
- I will assist in ensuring the vendor understands the significance of the vulnerability.
- After a patch is released, I may conduct independent verification to confirm its effectiveness.
Ethical Considerations & Judgment
While I strive to follow a structured process, I reserve the right to exercise my better judgment in cases where vendor negligence poses an ongoing risk to users.
- Non-Responsive Vendors: If a vendor remains unresponsive after multiple contact attempts, I may proceed with public disclosure to protect end-users.
- Critical Risks: In cases where a vulnerability poses an imminent threat to public safety or security, I may adjust the disclosure timeline accordingly.
- Ethical Dilemma Considerations: Each disclosure is weighed against the potential impact on users, the likelihood of exploitation by malicious actors, and the vendor's ability to remediate.
Final Decision on Disclosure
The ultimate decision to disclose or withhold information publicly is made after careful evaluation of:
- The vendor’s responsiveness and willingness to remediate.
- The risk of exploitation by bad actors.
- The broader security implications for affected users.
The goal remains the same: to make the internet a safer place by encouraging vendors to improve their security posture while minimizing risk to the public.