Disclosure Policy

Stratigos Security performs research that occasionally leads to the discovery of software flaws. When we encounter what we believe to be a security or privacy issue we will attempt to coordinate with the appropriate stakeholder groups to both fix the underlying issue and reduce any impact. This process has the goal of reducing overall risk to the public at large, and we will attempt to act in the best interest of the public in the long term. We rely on resources listed below to inform our decision-making, as well as consultation with colleagues who have authored the standards or run the programs.

​

Stratigos Security believes that it is critical to the security and privacy research process for each side to act in the way they see appropriate. This is why we have documented our process and work openly with vendors.Stratigos Security does not seek to supplant our judgement for that of others, and we expect that they will not impose their judgement upon us. It is our policy to act in the best interest of our clients, ourselves and the general public. This may include disclosing vulnerability information publicly and/or privately - after all, the manufacturer created and published the vulnerability along with the software, so it's unreasonable to assume these flaws can't be found by others just as easily as we found them.

Stratigos Security may also, as appropriate, assist other unaffiliated researchers in managing the coordinated disclosure process - contact us to discuss working together.

​

Coordinated Disclosure Process

1. Vulnerability is discovered, reviewed and confirmed.

2. Draft notification is created and submitted to vendor contacts

3. Stratigos Security contacts other parties, as appropriate (for example, CERT, MITRE, etc.)

4. Establish timelines, milestones and process for remediation and communication

5. Vendor fixes underlying issue, publishes update and notifies their clients or customers

6. Stratigos Security issues brief statement on the discovery

 

If, at any time during the process, Stratigos Security determines that the vendor is non-responsive or not acting in the best interests of our clients or the general public, we reserve the right to disclose the vulnerability, publicly or privately, without further notice.

​

Disclosure Documentation

Stratigos Security uses a standard disclosure notification and reporting template that contains the following information, as appropriate.

• Internal tracking code

• External tracking code(s)

• Severity score (CVSS v2)

• Vendor(s)/group(s) involved

• Product(s)/service(s) affected

• Version information

• Date discovered/reported

• Current status

• Issue summary

• Issue detail

• Proof-of-concept or validation procedures

• Root cause identification

• Potential effects

• Recommendations for affected parties

​​

Resources

Stratigos Security relies on standards documents, generally accepted principles, and relavent experts.

 

Reference standards

• ISO/IEC 29147 Vulnerability Disclosure

• ISO/IEC 30111 Vulnerability Handling Processes

 

Example Policies

• Google Vulnerability Disclosure Philosophy

• Microsoft Coordinated Vulnerability Disclosure policy

Facilitated reward and recognition programs

• BugCrowd

• HackerOne

 

Disclosure Facilitators

• The non-profit organization MITRE, through US CERT Reporting Portal