Tangible Labs

Responsible, Ethical Vulnerability Disclosure

This policy does not apply to vulnerabilities discovered as part of client engagements, which are protected under NDA. It only applies to independent research projects where Tangible Security procures and tests publicly available products for vulnerabilities that might affect consumers.

This vulnerability disclosure policy serves as a guideline of how Tangible Software, Inc., doing business as Tangible Security, will handle vulnerability notifications and disclosures to the responsible vendors (maintainers) and the public. It is the policy of the company to ethically and responsibly disclose security vulnerabilities in a manner that provides the most benefit to all parties. The disclosure process also serves as a formal method to inform both the maintainer and the community of the issue and a solution, if one exists.

Definitions

  • ISSUE - The flaw, vulnerability, or problem, which is the subject of a disclosure.
  • MAINTAINER - The individual, group, or vendor, that maintains the software, hardware, or resources that are related to the ISSUE
  • DATE OF CONTACT - The point in time when Tangible Security notifies the MAINTAINER.
  • All dates, times, and time zones, are relative to the Tangible Security, office in McLean, Virginia, USA.
  • A work day is defined with respect to Tangible Security, work schedule but is assumed to be Monday - Friday with the exception of holidays recognized by Tangible Security.

Policy

  • (1) Tangible Security will send an email regarding the ISSUE to the MAINTAINER. The DATE OF CONTACT is the point in time when the email has been sent.
  • (2) The MAINTAINER is to be given 5 working days from the DATE OF CONTACT; should no contact occur by the end of 5 working days, Tangible Labs will review the ISSUE and decide a next course of action that may include public disclosure.
  • (3) Requests from the MAINTAINER for help in reproducing problems or for additional information will be honored by Tangible Security, including by providing configuration details and reproduction steps.
  • (4) The MAINTAINER is responsible for providing regular status updates (regarding the resolution of the ISSUE) at least once every 5 working days.
  • (5) The MAINTAINER is encouraged to coordinate a joint public release/disclosure with Tangible Security, so that advisories of problem and resolution can be made available together.
  • (6) If the MAINTAINER discontinues communication at any stage of the process for more than 10 working days after DATE OF CONTACT, Tangible Labs will consider MAINTAINER non-responsive and decide a next course of action that may include public disclosure.
  • (7) 30 days from the DATE OF CONTACT, Tangible Security may, at its discretion, publicly disclose the vulnerability. We believe that by doing so, the MAINTAINER will understand the responsibility they have to their customers and respond appropriately. Requests by the MAINTAINER to delay public disclosure will be handled on a case by case basis.
  • (8) When disclosing a vulnerability, if possible, Tangible Security will endeavor to do so in a limited way that includes mitigation suggestions intended to enable the defensive community to protect the public.
  • (9) Tangible Security discloses vulnerabilities for the public benefit; therefore, Tangible will not accept prizes, "bounties", or other payments for doing so. In no cases will a vulnerability be "kept quiet" in exchange for such a payment, or because a MAINTAINER does not wish to address the vulnerability.
  • (10) Tangible Security may move a disclosure to an earlier or later date, depending on specific circumstances, such as when (a) a vulnerability is exploited in the wild; (b) vulnerability information is made publicly available by a third party; (c) fixes are particularly difficult to build; or (d) a vendor is non-responsive after reasonable efforts to engage them in developing a fix.
  • (11) Tangible Security reserves the right to privately share vulnerability discoveries made during independent research at any time with customers or other third parties in order to help secure systems from attacks.

Communication Guidelines

All communications related to disclosures either from or to Tangible Security shall use the This email address is being protected from spambots. You need JavaScript enabled to view it. address. If the MAINTAINER wishes to encrypt all communications, they should explicitly state this requirement and provide us with their PGP/GPG public key. Our public key for This email address is being protected from spambots. You need JavaScript enabled to view it. can be downloaded from here.
Get our PGP/GPG Public Key