Responsible Disclosure Policy
At Praetorian, we take security issues very seriously and recognize the importance of privacy, security, and community outreach. Our mission is to work with third parties (including our customers, the open-source community, and others) to improve the security and quality of the software that powers their business functions.
This Responsible Disclosure Policy (the “Policy”) sets forth the reporting and disclosure process for vulnerabilities in products or services that Praetorian Security Engineers find during the course of their work, which are: 1) not directly within the scope of work for a particular engagement, 2) not found in products released by Praetorian Labs or Praetorian Engineering, and 3) not the result of work performed on a customer project.
If a vulnerability is discovered during a paid engagement, Praetorian will not pursue this vulnerability independently without the client’s express permission. It is at the client’s discretion whether a security advisory procedure will be instigated at the conclusion of the engagement.
Vulnerability Disclosure Guidelines and Processes
Upon initial discovery of a previously unknown vulnerability, the respective Security Engineer will work directly with the Praetorian Technical Steering Committee (TSC) to coordinate the responsible disclosure to the affected vendor, service, or open-source project. After an initial investigation, technical validation, and impact assessment has been performed, Praetorian will attempt to contact the vendor by email to notify the vendor of such discovery.
- Praetorian will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel.
- If no response to the attempt to create a secure communication channel is received by TSC within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.
Our approach to vulnerability disclosure is generally based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) Vulnerability Policy. For additional information, see the CERT disclosure guidelines.
It is the goal of this Policy to balance the need of the public to be informed of security vulnerabilities with the need of the vendor to be given sufficient time to respond effectively. The final publication schedule will be determined based on the best interests of the affected parties and overall community.
Actions and Timelines
Day 0
Praetorian TSC makes initial contact with vendor
Day 7
Praetorian TSC makes second attempt to contact vendor, if no there is no response to initial communication
Day 45
Praetorian TSC sends reminder email to the vendor with the release date of the vulnerability report
Day 60
Praetorian TSC sends a final reminder email to the vendor, if the vendor has not responded or has stopped responding
Day 90
- Praetorian TSC discloses the full vulnerability report on the Praetorian Security Blog and releases any applicable POC code to GitHub
- OR, if the vendor releases a vulnerability patch or mitigation prior to Day 90, TSC will disclose the full vulnerability report immediately following this release*
- TSC will also submit a CVE publication request to MITRE
*Note: If progress is being made and the 90-day default timeline is not adequate for creating a patch or any other type of mitigation that addresses the vulnerability, extenuating circumstances may result in adjustments to the disclosures and timelines when deemed necessary.
Contact Information
If you have any questions about this Responsible Disclosure Policy, please contact us:
- By email: support@praetorian.com
- By mail: 98 San Jacinto Blvd., Suite 500, Austin, TX 78701, United States