Responsible Disclosure Policy

As security professionals, we take the very seriously the both our own security and privacy and that of others in the industry and broader technology community. We are committed to a constructive approach to coordinated disclosure.

Our goal in this is to help create a safer and more secure world – as such, we aim to work constructively across the security researcher and vendor communities to help improve security.

When we find a vulnerability in a vendor’s products outside of a confidential client engagement, River Loop Security will:

  1. Keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
  2. Make a reasonable attempt to contact the appropriate vendor by email, telephone, “contact us” web forms, and/or other methods.
  3. Provide vulnerability details to the vendor.
  4. Send a notification to CERT/CC 15 days after the first attempt at contacting the vendor, if River Loop believes this may be needed to get the information to the vendor.
  5. Prepare and publish an advisory detailing the vulnerability at least 60 days after initial attempts at disclosure at stage #2 above, barring extenuating circumstances. This advisory will be made available to the general public via River Loop Security’s blog and/or social media.

Please contact us if you have any questions.