Last Update: November 16, 2009
This document describes the Onapsis' Vulnerability Disclosure Policy, which will be used as the general guidelines in the process of disclosing vulnerabilities discovered by the Onapsis Research Labs in the form of a security advisory.
It's in Onapsis best interest to contribute to the continuous improvement of the security level of the enterprise software used by its customers. Therefore, we consider it's important to establish a clear procedure that should be followed by involved parties in order to minimize risks and provide a holistic solution to security caveats.
Based on years of experience in the industry, we strongly believe that these measures provide the best balance for all the parties involved: vendors, customers and the general community.
Upon the discovery of a new security vulnerability, the following procedure will take place:
1) Onapsis sends an e-mail to the vendor's public available security e-mail contact, notifying that a new vulnerability has been discovered and requests a PGP/GPG key in order to send the detailed information encrypted.
- In the case the vendor does not provide a PGP/GPG key, the information will be sent unencrypted at the vendor's risk. Onapsis will not be responsible for the eventual disclosure of the vulnerability information due to the use of unprotected communication channels.
- In the case the vendor does not answer to the original contact, two additional contact attempts will be made by Onapsis, making the best possible effort in order to communicate with the vendor through different channels (e.g. online forms, etc). If those contacts are also disregarded, the security advisory is published.
2) Onapsis sends a Security Vulnerability Submission document to the vendor, which contains the technical information regarding the vulnerability. This document is provided with a reference to this Policy and a preset disclosure date, usually set to 21 days later.
- In the case the vendor does not answer to the submission by the preset date, the security advisory is published.
3) Upon successful confirmation of the reception and analysis of the vulnerability, the vendor must provide Onapsis an estimated release date for the solution, which should not be longer than 45 days. Onapsis will post the name of the vulnerability and estimated release date in the "Upcoming Advisories" section of its website.
4) While the solution is being developed, Onapsis will be available to provide further information or specialized assistance to the vendor, in order to better understand the involved risks and contribute in the development of a comprehensive solution. In this process, Onapsis expects the vendor to provide periodic updates about the status of the case.
- In the case the vendor does not provide status updates, a request for status will be sent by Onapsis once a month. If the vendor does not answer to the initial status request after 14 days, an additional request will be sent. Has no response been received for this second request within 14 days, the security advisory is published.
5) Eventually, Onapsis will publish the security advisory containing the vulnerability information when any of the following situations takes place:
- The preset/agreed disclosure date is reached.
- The vendor releases a security advisory/solution to its customers and/or the general public.
- The vulnerability information is published by a third party.
- More than 12 months from the original contact have passed.