Vulnerability Disclosure Policy
Pen Test Partners strongly believe in and support a coordinated approach to vulnerability disclosure. We always strive to work with vendors to protect customer’s interests.
We have however encountered vendors that ignore vulnerabilities reported to them by us, that don’t respect the many hours of effort made by the researcher, or they simply take far too long to develop patches/fixes- leaving their customers vulnerable and at risk.
To this end, Pen Test Partners has developed this disclosure policy.
It is based on years of vulnerability disclosure experience and we believe that it is reasonable and balanced for all involved.
• Pen Test Partners will make every effort to establish confidential communications with the vendor. This may involve using the vendor’s published email address if no security contact is publicly listed.
• Once contact with has been made with the vendor’s security team, or designated contact, Pen Test Partners will communicate full details of the vulnerability, including the timeline specified here – which could be extended given a valid reason. No sensitive vulnerability details will be sent until a secure communications channel has been established, if the vendor has this capability.
• We will provide reasonable assistance to the vendor in understanding the significance of the discovered vulnerability.
• If the vendor does not respond to the initial contact within one week, the original email is resent.
• 15 days after initial contact is made with the vendor, Pen Test Partners will send a notification to CERT.
• In line with CERT’s 45 day disclosure policy, Pen Test Partners will write and publish an advisory detailing the vulnerability, 60 days after initial contact has been made with the vendor. This advisory will be made available to the general public.