Vulnerability Disclosure Policy

Pen Test Partners strongly believes in, and supports, a coordinated approach to vulnerability disclosure.

We always strive to work with vendors to protect customer’s interests, but we have however encountered vendors that:

  • Ignore the vulnerabilities we report to them.
  • Don’t respect the many hours of effort made by our researchers.
  • Simply take far too long to develop patches/fixes- leaving their customers vulnerable and at risk.

To this end, Pen Test Partners has developed this disclosure policy.

It is based on years of vulnerability disclosure experience and we believe that it is reasonable and balanced for all involved.

The policy

  • Pen Test Partners will make reasonable efforts to establish confidential communications with the vendor. This may involve using the vendor’s published ‘contact us’ email address, Twitter or telephone if no security contact is publicly listed.
  • Once contact with has been made with the vendor’s security team, or designated contact, Pen Test Partners will communicate full details of the vulnerability, including the timeline specified below, which could be extended given a valid reason.
  • No sensitive vulnerability details will be sent until a secure communications channel has been established, if the vendor has this capability.
  • We will provide reasonable assistance to the vendor in understanding the significance of the discovered vulnerability.
  • This policy only applies to research conducted and published by Pen Test Partners. We cannot be held responsible for any personal research and disclosure conducted by employees in their own name.

Disclosure timeline

  1. If the vendor does not respond to our initial contact within 7 days, the original private disclosure is sent again.
  2. If after 15 days we have not received a response from the vendor to our initial contact attempt, Pen Test Partners will send a notification to CERT.
  3. At this point we may, at our discretion, publish the vulnerability, but only if we have had no response or acknowledgement from the vendor.
  4. If a response or acknowledgement has been received, we will agree a disclosure timeline with the vendor.
  5. However, if the vendor’s proposed timeline is unacceptably long without very good reason, in line with CERT’s 45 day disclosure policy Pen Test Partners will write and publish an advisory detailing the vulnerability. This will happen 60 days after the initial contact has been made with the vendor. This advisory will be made available to the general public.

NOTE: At our discretion, we reserve the right to deviate from this policy should we feel it is required for the protection of public safety and/or privacy.