Trustwave SpiderLabs Vulnerability Disclosure Policy
Spending each day immersed in penetration tests and research into the latest threats, our SpiderLabs® experts occasionally discover new vulnerabilities as a part of their work. When that happens, we follow our established disclosure policy. Learn more about our disclosure policy below.
Policy Definitions
- The vendor is the individual, group, or company that maintains the software, hardware, or resources that are related to the vulnerability.
- The date of contact is the point in time when Trustwave SpiderLabs initially contacts the vendor about the vulnerability.
- All dates, times, and time zones are relative to location of Trustwave headquarters (Chicago, IL).
- All day counts are calendar.
The goals of this disclosure policy are education and risk reduction
- Education of the vendor about the vulnerability and risk reduction through vendor patch or workaround development.
- Education of Trustwave SpiderLabs on how the vendor intends to fix the vulnerability and risk reduction through developing protections in Trustwave products and services.
- Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch / workaround as well as protections and security controls that can prevent exploitation of the vulnerability.
Policy
- The vendor will be given 14 days from the date of contact for an initial response. Should no contact occur by the end of 14 days, Trustwave SpiderLabs will evaluate the risk to our clients and may decide to disclose the vulnerability to its clients, at a minimum.
- Trustwave SpiderLabs will provide a best effort to honor requests from the vendor for additional information or help in reproducing the vulnerability. This will include providing configuration details and the scenario in which the vulnerability was discovered.
- The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Trustwave SpiderLabs will view the vendor as non-responsive and will consider public disclosure.
- The vendor is encouraged to provide proper credit to Trustwave and to the researcher responsible for discovering the vulnerability. Suggested (minimal) credit would be: "Credit to [researcher name] from the SpiderLabs team at Trustwave for disclosing the vulnerability to [vendor name] ."
- The vendor is encouraged to coordinate a joint public release/disclosure with Trustwave SpiderLabs so that advisories of the vulnerability and resolution can be made available together.
- The vendor will be given a maximum of 90 days after date of contact to release a patch. After 90 days Trustwave SpiderLabs will consider public disclosure.
- If a third party publicly discloses the vulnerability during this process, disclosure will be considered to be public and Trustwave SpiderLabs will work with the vendor for immediate disclosure.
- If the vulnerability is being actively exploited in the wild Trustwave SpiderLabs will work with vendor on an escalated disclosure timeline potentially less than seven days after date of contact if exploitation is experienced on a wide and public scale.
- Proof of concept code or technical explanation of exploitation of a vulnerability that is rated critical may be withheld for up to 14 days after public disclosure to allow time for organizations to protect themselves.