Vulnerability Disclosure Policy
Rhino Security Labs believes in a timely and responsible vulnerability disclosure policy which alerts vendors to potential security issues in their products.
We will attempt to disclose our security advisory to the affected vendor(s), co-ordinate potential mitigation testing and prepare for public disclosure.
- We will disclose our findings to the affected vendor(s) using publicly accessible means of communications (email, fax, contact forms, bug bounty platforms, etc)
- Vendor(s) will have 45 days to acknowledge, respond and mitigate findings
- Our security advisories may contain information to help the vendor(s) understand risk potential, including but not limited to, SVSS scores, CWE references and historical examples of similar vulnerabilities in other software for reference.
- Within that time-frame, Rhino Security Labs will assist in mitigation testing, confirmation and coordination of public disclosure.
- For public disclosure extensions, please see ‘Extenuating circumstances’ below
We reserve the right to move forward on disclosure if the following occurs:
- Vulnerabilities in question are being actively exploited in the wild
- Vendor(s) are unresponsive
- Partial vulnerability information has already reached the public
Extenuating circumstances may lead to an extension of our vulnerability disclosure policy, unless we feel it is not required. They are listed below:
- Mitigation and patch development schedule
- Critical severity and exploitability
- Infrastructure risk
- Vulnerabilities which affect standards
- Extensive code overhaul or rewrites
Please contact [email protected] if you have questions or concerns with this policy, or disclosures.