OpCode 41 Security, Inc. (“OpCode41”) follows the cyber security industry best practice of responsible disclosure. OpCode41 follows CERT/CC‘s 45-day disclosure policy. As per the CERT/CC FAQ, time-lines and details of what information is released may change depending on circumstances. OpCode41 differs with CERT/CC in respect to the release of exploit code and may release proof-of-concept code in line with industry disclosure practices.
Once OpCode41 identifies and verifies a vulnerability, we take the following steps:
- OpCode41 will attempt to contact the appropriate product vendor by email and telephone
- OpCode41 will provide the vulnerability details to the vendor, potentially including proof-of-concept exploit code
Once OpCode41 contacts the vendor (independent of vendor responsiveness):
- OpCode41 will send a notification to CERT/CC starting the 45-day countdown
- OpCode41 may request CVEs from MITRE
- OpCode41 may make partial disclosures in-line with industry practice
- OpCode41 will usually not release vulnerability details or exploits before the 45-day mark except when warranted (see CERT/CC FAQ)
At the 45-day mark as per CERT/CC:
- OpCode41 may prepare and publish an advisory detailing the vulnerability or vulnerabilities found, including potential exploit code
This policy may be update periodically.