As security professionals, we take the very seriously the both our own security and privacy and that of others in the industry and broader technology community. We are committed to a constructive approach to coordinated disclosure.
Our goal in this is to help create a safer and more secure world – as such, we aim to work constructively across the security researcher and vendor communities to help improve security.
When we find a vulnerability in a vendor’s products outside of a confidential client engagement, River Loop Security will:
- Keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
- Make a reasonable attempt to contact the appropriate vendor by email, telephone, “contact us” web forms, and/or other methods.
- Provide vulnerability details to the vendor.
- Send a notification to CERT/CC 15 days after the first attempt at contacting the vendor, if River Loop believes this may be needed to get the information to the vendor.
- Prepare and publish an advisory detailing the vulnerability at least 60 days after initial attempts at disclosure at stage #2 above, barring extenuating circumstances. This advisory will be made available to the general public via River Loop Security’s blog and/or social media.
Please contact us if you have any questions.