We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. When Enable Security discovers vulnerabilities through its own research, it will notify vendors of these vulnerabilities with details shared in public with the defensive community after 90 days of first contact, or sooner if the vendor releases a fix.
- Enable Security will make reasonable efforts to establish confidential communications with the vendor.
- Once contact has been made with the vendor's security team, or designated contact, Enable Security will communicate full details of the vulnerability, along with a link to this policy and the current planned disclosure date.
- Enable Security will provide reasonable assistance to the vendor in understanding the significance of the discovered vulnerability.
- If the vendor does not acknowledge our initial contact within 7 days, further attempts over different channels will be made to establish the right contact within the vendor's organization.
- If after 30 days of initial contact, no acknowledgement is received from the vendor, final contact will be made advising of full disclosure in 30 days time.
- After a further 30 days, making 90 days from initial disclosure, Enable Security will publish the vulnerability.
The 90 day deadline can vary in the following ways:
- If a deadline is due to expire on a weekend or US/German public holiday, the deadline will be moved to the next normal work day.
- Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch. If the patch is delayed yet again beyond the 14 day grace period, we reserve the right to publish the vulnerability.
- When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Enable Security expects to be held to the same standard.
This policy, based on Google's, is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline.
For the latest news, research, and developments from Enable Security on security, research, and projects visit our blog.