Responsible Disclosure Policy

1 PURPOSE OR OBJECTIVE

1.1 The purpose of this Responsible Disclosure Policy is to ensure any vulnerabilities discovered by Pentest Limited are responsibly disclosed.

1.2 Wherever possible, Pentest will follow the Co-ordinated Vulnerability Disclosure (CVD) process outlined in CERT’s guide to Co-ordinated Vulnerability Disclosure (Special Report CMU/SEI-2017- SR-022).

1.3 This policy outlines Pentest requirements in respect of coordinated vulnerability disclosure, but this policy is subject to all the laws, rules and regulations that Pentest is governed by. In the event this policy allows employees of Pentest to exercise discretion, such discretion must be exercised within the confines of Pentest’s statutory obligations and must not contravene any of its legal, accounting or other regulatory requirements.

2 SCOPE

This policy applies to: –

2.1 All Pentest employees, temporary staff, contractors (also referred to as associates), and third parties as related to the authorised use of Pentest information, client information and information covered under Non-Disclosure Agreements (NDAs).

3 DEFINITIONS

3.1 VENDOR: A vendor is a supplier of software or hardware, whether a company, individual or other entity.

3.2 ISSUE: A cybersecurity finding which could be potentially destructive or malicious to the vendor.

3.3 PATCH: A scheduled set of changes to the application, or infrastructure, implemented to update and fix vulnerabilities.

3.4 VULNERABILITY: A vulnerability is a software, hardware or procedural flaw which has the potential to cause undesirable behaviour within a system.

4 RESPONSIBILITIES

4.1 Any employee discovering a vulnerability will do their utmost to report it to the affected vendor in a timely manner. If such a vulnerability is discovered in a 3rd party component during a client engagement, disclosure to the vendor will take place in a co-ordinated manner with the client.

4.2 Pentest’s Director of Research shall be aware of all unresolved vulnerability disclosures.

5 REQUIREMENTS

5.1 Vulnerability Discovery ⎯ If a significant vulnerability is discovered during research, it will be reported to any affected vendors as soon as is reasonably possible. ⎯ If a significant vulnerability is discovered during a client engagement, it will be reported to the client wherever feasible, within 24hours of discovery. If the vulnerability component is owned, and or controlled by a 3rd party then all reasonable steps will be taken to notify the 3rd party also. Any correspondence with the 3rd party will be in co-ordination with the client.

5.2 Vendor Disclosure ⎯ All efforts will be made to establish a secure communication line with all affected vendors. ⎯ All efforts will be made to help the vendor create a patch or other modification by which the vulnerability can be addressed. ⎯ If it has not been possible to contact a vendor directly, efforts will be made to use independent 3rd parties to facilitate communication.

5.3 Co-ordinated Public Disclosure ⎯ The aim of CPD is to not disclose sufficient technical details to aid any other party in reproducing the issue prior to a technical solution being available. ⎯ Pentest will strive to never publicly report technical details of a vulnerability until a patch has been released by the affected vendor(s) and sufficient time has passed to reasonably expect said patch to have been applied by end-users. ⎯ If every reasonable effort has been made to contact a vendor (both directly and through any relevant 3rd parties) and it has not been possible to open a line of communication, it may be necessary to disclose details in the interests of end user security. Pentest would seek to do so 45 days from the initial attempt to disclose the vulnerability. ⎯ Similarly, if a vendor becomes uncommunicative or does not appear to be operating in the best interests of end-user security for a prolonged period of time, Pentest may consider unilateral disclosure.

6 IMPLICATIONS OF NON-COMPLIANCE

6.1 Breaches of this policy may result in Pentest being non-compliant with legislative or regulatory requirements or may expose Pentest to reputation damage, financial penalties or loss of clients.

6.2 Non-compliance with this policy will be investigated and may result in disciplinary action up to and including termination of contract.
  

7 SUPPORTED / RELATED POLICIES

7.1 The following Pentest policies (and/or procedures) should be read in conjunction with this policy.

7.1.1 Information Security Policy
7.1.2 https://www.microsoft.com/en-us/msrc/cvd
7.1.3 https://resources.sei.cmu.edu/asset_files