The Access42 expert teams detect new, yet undocumented vulnerabilities in third party products as part of their daily work.
This happens for example during research phase when developing new vulnerability tests. It happens also while supporting customers with their individual environments and configurations.
In case we identify a security problem in a third party product, we practice Responsible Disclosure and only ask for crediting Access42 for finding and documenting the weakness.
Our policy for a Responsible Disclosure is as follows:
1. Inform the vendor about the finding and provide as many details as possible.
2. Motivate the vendor to clarify conditions, severity and reach of the vulnerability. Access42 will try to provide as many helpful information as possible.
3. Motivate the vendor to identify whether possibly an easy-to-apply work-around could close the attack vector. Access42 will try to support verification of such a work-around.
4. Clarify with the vendor whether he likes to publish the vulnerability on his own via CVE (Common Vulnerabilities and Exposures, http://cve.mitre.org/) or whether Access42 or another party should do so. In any case Access42 asks for getting credits for finding and documenting this vulnerability.
5. Motivate the vendor to prepare a official Security Update and consider this in our vulnerability tests.
6. In case the vendor does not respond to our report or in other ways ignores attempts to cooperate on documenting and publishing the weakness, Access42 will publish the vulnerability entirely on its own.
We will do so after 30 days in case we get no constructive response at all.
And we will do so after 90 days in case the vendor was not making available a security update for the customers or at least inform the users about the threat.
In any case, Access42 reserves the right to add a Network Vulnerability Test about the reported problem into their managed security service from the first day on. This is to help our customers being aware of the threat and to take accurate measures as early as possible.
7. In case the vendor publishes and documents the vulnerability, but does not apply SCAP standards (CVE, CVSS, CPE), Access42 reserves the right to do so.