May 12, 2017

Vulnerability Disclosure Policy

OpCode 41 Security, Inc. (“OpCode41”) follows the cyber security industry best practice of responsible disclosure. OpCode41 follows CERT/CC‘s 45-day disclosure policy. As per the CERT/CC FAQ, time-lines and details of what information is released may change depending on circumstances. OpCode41 differs with CERT/CC in respect to the release of exploit code and may release proof-of-concept code in line with industry disclosure practices.

Once OpCode41 identifies and verifies a vulnerability, we take the following steps:

  • OpCode41 will attempt to contact the appropriate product vendor by email and telephone
  • OpCode41 will provide the vulnerability details to the vendor, potentially including proof-of-concept exploit code

Once OpCode41 contacts the vendor (independent of vendor responsiveness):

  • OpCode41 will send a notification to CERT/CC starting the 45-day countdown
  • OpCode41 may request CVEs from MITRE
  • OpCode41 may make partial disclosures in-line with industry practice
  • OpCode41 will usually not release vulnerability details or exploits before the 45-day mark except when warranted (see CERT/CC FAQ)

At the 45-day mark as per CERT/CC:

  • OpCode41 may prepare and publish an advisory detailing the vulnerability or vulnerabilities found, including potential exploit code

This policy may be update periodically.