We regularly identify vulnerabilities during our research and consulting activities. SBA Research follows industry best practices. That is why we based our vulnerability disclosure policy on Google’s policy.
For clarity, when we identify vulnerabilities during engagements, we are bound to non-disclosure agreements and adhere to the vulnerability disclosure policy of our customers. Of course, we advise our customers to adapt a vulnerability disclosure policy similar to ours. When we find vulnerabilities in third-party products that might be of interest for the general public, we reserve the right — in close coordination with our customer — to publish security advisories according to our own vulnerability disclosure policy.
SBA Research’s Vulnerability Disclosure Policy
We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why SBA Research adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities as soon as possible, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:
- If a deadline is due to expire on a weekend or Austrian public holiday, the deadline will be moved to the next normal work day.
- Before the 90-day deadline has expired, if a vendor lets us know that they scheduled a patch for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
- When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action — within 7 days — is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products. However, it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves. We believe it’s important that vendors disclose that there is evidence to suggest that the vulnerability is under active exploitation.
As always, we reserve the right to bring deadlines forwards or backwards if a particular case requires it. We remain committed to treating all vendors equally. SBA Research expects to be held to the same standard.
This policy is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.