logo-unlock-security

Disclosure Policy

In order to protect and improve the security of users, we manage the disclosure of the new vulnerabilities in a coordinated and responsible way.

Aim of the present disclosure policy

At Unlock Security, we assess and coordinate the disclosure of the security vulnerabilities found during our research activities. The following disclosure policy defines the terms and timing by which we get in contact with the vendor of the vulnerable software, up to the patch release and the disclosure of the details.

First contact

In a responsible and timely manner, Unlock Security informs the software vendor that there is a security flaw in its product. The first contact attempt is made through all the contact details and public channels provided by the vendor, or by sending an e-mail with the details about the detected flaw at security@, support@, info@ and secure@vendor.tld. If the vendor does not reply to the first notice within 3 (three) working days, Unlock Security sends a second notice through a different contact method, if available.

Along with the first attempt to contact the vendor of the vulnerable software, Unlock Security requests the registration of a new CVE ID to the MITRE, regardless of the terms defined in the present disclosure policy. Once assigned, the CVE won’t be disclosed until the expiration of the terms defined in the section “Expiration”.

Expiration

The vendor of the vulnerable software is granted 30 (thirty) days to create and publicly release a patch for the security vulnerability reported by Unlock Security. The deadline can be extended in case of extreme complexity but cannot exceed 120 (one hundred twenty) days from the first notice. Upon expiration of the granted period, Unlock Security can publicly disclose the vulnerability details on the Advisory page and on its social media channels.

Disclosure

As soon as the vendor of the vulnerable software releases proper security patches, Unlock Security publicly discloses the details of the discovered vulnerabilities through official bulletins available on the Advisory page.

If the software vendor does not answer or cannot provide a sensible reason why the vulnerability has not been fixed within the deadline, Unlock Security may propose a mitigation plan in its security bulletin to allow the community to protect the data of its users. In its sole discretion, Unlock Security may delay the disclosure of the details concerning the fixed vulnerabilities, to give the involved users the necessary time for updating their systems.

Following the public disclosure, Unlock Security also publishes the CVE ID assigned by the MITRE.