Digital Defense discloses information about newly discovered vulnerabilities to protect our clients’ computing networks from possible compromise by unauthorized parties. The company recognizes, however, that organizations who do not contract with Digital Defense may suffer from the public disclosure of this type of information. For this reason, the company has a policy and process in effect that details how Digital Defense manages the public reporting of security vulnerability information.The primary goals of Digital Defense’s Vulnerability Disclosure Policy are as follows:
- Protect Digital Defense clients from risk of compromise resulting from the exploitation of newly discovered vulnerability by unauthorized parties.
- Effectively communicate vulnerability information to clients, computer industry vendors, and the public so that remediation solutions can be developed quickly and efficiently.
- Minimize risk introduced by newly discovered vulnerabilities to all parties potentially exposed.
Digital Defense believes that the industry as a whole benefits from the responsible reporting of newly discovered security vulnerabilities. The following process will be followed by Digital Defense personnel.
Vulnerability Disclosure Process
From time-to-time our security analyst team discovers new vulnerabilities in their research efforts. In the event that a new vulnerability is discovered, Digital Defense has a Vulnerability Disclosure Process that is used to communicate its findings to industry stakeholders. Industry stakeholders include computer industry vendors, our clients, and the public. This process is described here.
- We contact the vendor who developed the platform containing the vulnerability via a PGP-signed e-mail (encrypted if possible) and notify them of the details of the vulnerability. The notice will be sent to the following standard set of addresses for the vendor:
- We also notify the vendor that the Company plans to disclose the vulnerability on the following schedule, with special exceptions made as deemed prudent:
- An advisory to our clients describing the vulnerability, along with known remediation information. Sent after 30 calendar days.
- An advisory to the general public describing the vulnerability along with known remediation information. Sent after 45 calendar days (The Company strongly prefers to make this announcement as a joint release with the platform vendor, but this may not always be feasible.)Note that the lack of response to our notice from the vendor will not have an impact on this release schedule.
The Company requests a written acknowledgement (e-mail acceptable) back from the vendor indicating that the vendor is aware that we intend to release an advisory describing the vulnerability on the vendor’s platform, and that Digital Defense desires to make a joint release.
- We simultaneously commence development of a Consolidated Vulnerability Check (CVC), using normal CVC development logging and request methods. The goal of the CVC is to detect the presence of the vulnerability during a vulnerability assessment or a penetration test.
- After completing the first two steps noted above and waiting the requisite 30 calendar days, the Company releases the advisory (without Exploit References or Exploit Code) to Digital Defense clients for their advance review.
- Fifteen calendar days after completing this previous step, the Company releases the advisory (without Exploit References or Exploit Code) to the general public.
- If the vendor does not resolve the vulnerability within the requisite 45 calendar days, the Company works with a vulnerability coordinator such as CERT (Carnegie Mellon University’s Computer Emergency Response Team) to make the vulnerability information available to the general public.
- Fifteen calendar days after completing the previous step, the Company updates the advisory with any new information and posts the information on Digital Defense’s website under Vulnerability Research Team Advisories.