1. IntroductionVulnerabilities on computer related products are discovered as a common result of security tests and

research. We believe that the knowledge of these flaws leads to a shared responsibility within the IT

Security company which discovered the vulnerability and the related vendor, which must work together

to address the problem and supply the user community with an adequate response.

As a network and application security consulting firm, we are constantly researching new methods to

understand and exploit computer products anticipating new threats and developing countermeasures

to prevent those for our customers. This policy states how Conviso IT Security will minimize risks to

our clients and to the market and contribute to the security community through a Responsible

Disclosure fashion.

2. Discovery ProcessWhen a vulnerability is discovered, Conviso Security Labs will prepare the Security Advisory which will

describe the vulnerability, define who is the related vendor and which versions of the component are

vulnerable, potential ways that the vulnerability can be exploited, proposed risk reduction

countermeasures and the risk to the user community.

This document will be prepared in a draft mode, shared with the vendor and a Common Vulnerabilities

and Exposures (CVE) number required to MITRE1 in order to prepare the publishing process. The

public availability on the publishing process will proceed according to the timeline defined in this policy.

3. Liaising with Impacted VendorThe impacted vendor will be notified after the completion of the Security Advisory draft and a copy of

this document with any other information that may be helpful will be provided. The vendor will be

notified using the publicly available contact name or email address available on the related public

website.

We understand that as soon communication is established with the vendor, a collaboration process

must begin to achieve fully understand of the vulnerability and address a corrective action. The day

that the vulnerability is communicated to the vendor will be considered “Day 0” of the disclosure

timeline and we expect a response by email within 7 days that acknowledges receipt of our notification

and identifies a plan to address the vulnerability.

Conviso IT Security | Responsible Disclosure Policy! 1

1 http://cve.mitre.org/

Responsible Disclosure Policy

4. Collaboration with Other PartiesConviso IT Security will communicate their customers effective immediately about any vulnerability

identified and may disclose the vulnerability to other Computer Security Response teams such as

CERT or CERT-BR if the impact justifies this action.

5. Security Advisory Release Coordinated with the VendorConviso IT Security will prepare the final version of the Security Advisory that discloses the same

information provided originally to the vendor (unless facts have changed) as well as the available work-

arounds or patches that have been made available by the vendor or Conviso Security Labs. This

advisory will be coordinated with the vendor and will be issued at the time that a fix is available. The

advisory release will be written by Conviso Security Labs and will be approved by the Research &

Development Manager and the Operations Manager.

Task Timeline Comments

Security Advisory Draft development

Conviso IT Security’s customers notified

Vendor notified (first attempt)

Vendor notified (second attempt)

Vendor notified (third attempt)

Vendor notified (final attempt)

Publish the Security Advisory

Day 1 N/A

Day 2Customers will be notified effective immediately the

conclusion of Security Advisory draft version.

Day 2Vendor will be notified effective immediately the

conclusion of Security Advisory draft version.

Day 12A second contact attempt will be made 10 days after the

initial one if no response is received from the vendor.

Day 22A third contact attempt will be made 20 days after the

initial one if no response is received from the vendor.

Day 32A third contact attempt will be made 30 days after the

initial one if no response is received from the vendor.

Day 62

A timeline of 60 days will be provided to vendor’s effort

to provide a patch and/or workaround to address the

related vulnerability.

6. Timeline

All vulnerabilities will be disclosed to the public 90 days after the initial report, regardless of the

existence or availability of patches or workarounds from affected vendors. Extenuating circumstances,

such as active exploitation, threats of an especially serious nature, or situations that require changes to

an established standard may result in earlier or later disclosure.

In a common fashion we intend to follow a timeline composed by 60 days from the vulnerability

identification and Security Advisory public availability which we understand that is a acceptable

deadline for a large organization to meet.

Conviso IT Security | Responsible Disclosure Policy! 2