Vulnerability Policy
One of my hobbies is to locate security vulnerabilities in websites and report them so they can be fixed.
For these, non-contracted cases, the following policy applies.
Note: This does not apply to anyone who as contracted me to locate vulnerabilities, as everything discovered under contract will remain completely confidential indefinitely.
Upon the discovery of a new exploit, a contact attempt will first be made by the preferred means on the vendors site, be it phone, email, or form.
From the day the exploit is noted, the vendor or producer has exactly 30 days until the 0days exploit is released into the wild, a simple email or other means of contact, showing acknowledgment can delay or even prevent the release of the exploit, depending on severity and other circumstances.
If the exploit is still available in the next version of the application, another contact attempt will be made and the same 30 days rule will apply.
As I am a strong believer in both freedom of information and private security, every attempt to contact the vendor/producer will be exhausted at regular times throughout the 30 days period. And as such, only a complete DOLT would ignore such warnings without so much as an acknowledgment that they are attempting to fix the problem.
The contact emails will each contain the following features:
- The exact location and nature of the exploit
- A proof of concept demonstration
- A basic assessment of risk
- A suggestion on how to fix the exploit, and if within reason, specific functions, filters, or measures to alleviate the issue
The exception is those clients that have hired me specifically to perform a security test on their application or website, as they will have indefinite time.