Cyber Security Works Pvt. Ltd (CSW) a security service provider and research organization, strongly believes that a constructive and coordinated disclosure is thebest approach to address and fix a vulnerability. We also believe that these contributions to the security community will be helpful to reduce attack surfaces orvectors against diverse and ever changing threats.
CSW vulnerability disclosure policy applies to any third party vendor products to whom CSW will assign the CVEs for vulnerabilities, if the product is not a part of another CNA scope.
Once a security issue is found the following steps will be taken by CSW to notify the respective parties to fix it
- Once we have confirmed the vulnerability, we will gather all the necessary information to communicate the details to the affected party.
- CSW will try to establish initial contact with the affected vendor via email regarding the vulnerability with all the supporting documents.
- If we don’t receive a response from the vendor within seven days of sending themail, another reminder will be sent. If the vendor did not respond or refuses to acknowledge the vulnerability within 14 days from initial contact, CSW will publicly disclose the vulnerability.
- If we receive a response from the vendor, we will notify them about the date ofthe vulnerability disclosure that we have set.
- The vendor will be allowed 90 days to provide a patch or relevant fix for the issue. If provided, then the vulnerability will be disclosed immediately following the vendor’s patch or fix release.
- If a fix is not provided within the 90 day period and no response is received from the vendor, then we will go ahead and disclose the vulnerability on the afford-mentioned date.
- In the event that the vendor is unable to provide a fix within the deadline, but has communicated CSW regarding the same, then the deadline could be adjusted. A maximum of six months of coordination will be given to the vendor for fixing the vulnerabilities. After that the vendor will be informed and the vulnerability will be disclosed regardless of the fix.
- The 90-day deadline mentioned above is not a hard deadline. CSW can shorten or lengthen the deadline based on certain criteria like the severity of the vulnerability, ease of exploitation, etc.
- Until the completion of the disclosure process, CSW will maintain confidentiality of any communication to and from the vendor. However, we will disclose the vulnerability to the public irrespective of the vendor’s support or not.
- All the CVEs assigned by CSW and its vulnerability disclosures can be found in the CSW security advisory. Only the advisories present in the security advisory will be considered as official documents.
For the latest news, research, security, and projects from the Cyber SecurityResearch Lab (CSW).