It is MWR InfoSecurity’s intention to meet a number of key objectives during the disclosure process and these are listed here:
Upon the discovery of any previously unpublished security vulnerability a period of analysis and further research will initially be conducted. Subsequently an advisory will be produced that documents the type of issue and its causes. The advisory will also include details of any proof of concept exploit and an immediate workaround to mitigate the risk that the issue exposes.
Once the advisory has been produced it will initially be released to the vendor of the affected product or software. However, if the vulnerability is discovered during a penetration test being conducted against one of MWR InfoSecurity’s clients it will be disclosed to them in the first instance. This will ensure that they receive the highest level of service with respect to the reduction of business risk. Each of MWR InfoSecurity’s clients is subject to a Non-Disclosure Agreement so that the information shared with them cannot be redistributed without our express permission.
Every vulnerability discovered is individually assessed to quantify risks associated with it, the results of this review are used to guide disclosure using the following high level process.
It is hoped that a communication channel will be established with the vendor within 2 weeks of initial attempts to contact them. Using this channel it is expected that the vendor will inform MWR InfoSecurity about their intended fix for the issue as well as establishing a "reasonable" timeline for the publication of patches and updates for the vendor’s customers. MWR InfoSecurity will endeavour to work with any software vendor to ensure that the entire disclosure process is in line with their timelines.
A date for publishing the advisory to MWR InfoSecurity’s clients and then subsequently to the public will also be agreed. However, if the communication channel is not maintained by the vendor MWR InfoSecurity retains the right to alter the timescales for publication based on the level of service expected by their clients.
This disclosure policy is documented to ensure that all parties involved in the process are aware of its aims and objectives. As stated previously, each vulnerability that is discovered will be different and it is expected that the disclosure process can be conducted in a manner that provides the greatest level of assurance to all affected parties. Where deviations to this process are required they will be conducted in a manner that is in line with the objectives set out here.