Responsible Disclosure Policy

1. Introduction
Vulnerabilities on computer related products are discovered as a common result of security tests and
research. We believe that the knowledge of these flaws leads to a shared responsibility within the IT
Security company which discovered the vulnerability and the related vendor, which must work together
to address the problem and supply the user community with an adequate response.

As a network and application security consulting firm, we are constantly researching new methods to
understand and exploit computer products anticipating new threats and developing countermeasures
to prevent those for our customers. This policy states how Conviso IT Security will minimize risks to
our clients and to the market and contribute to the security community through a Responsible
Disclosure fashion.

2. Discovery Process
When a vulnerability is discovered, Conviso Security Labs will prepare the Security Advisory which will
describe the vulnerability, define who is the related vendor and which versions of the component are
vulnerable, potential ways that the vulnerability can be exploited, proposed risk reduction
countermeasures and the risk to the user community.

This document will be prepared in a draft mode, shared with the vendor and a Common Vulnerabilities
and Exposures (CVE) number required to MITRE1 in order to prepare the publishing process. The
public availability on the publishing process will proceed according to the timeline defined in this policy.

3. Liaising with Impacted Vendor

The impacted vendor will be notified after the completion of the Security Advisory draft and a copy of
this document with any other information that may be helpful will be provided. The vendor will be
notified using the publicly available contact name or email address available on the related public
website.

We understand that as soon communication is established with the vendor, a collaboration process
must begin to achieve fully understand of the vulnerability and address a corrective action. The day
that the vulnerability is communicated to the vendor will be considered “Day 0” of the disclosure
timeline and we expect a response by email within 7 days that acknowledges receipt of our notification
and identifies a plan to address the vulnerability.

1 http://cve.mitre.org/

Conviso IT Security | Responsible Disclosure Policy! 1

4. Collaboration with Other Parties
Conviso IT Security will communicate their customers effective immediately about any vulnerability
identified and may disclose the vulnerability to other Computer Security Response teams such as
CERT or CERT-BR if the impact justifies this action.

5. Security Advisory Release Coordinated with the Vendor

Conviso IT Security will prepare the final version of the Security Advisory that discloses the same
information provided originally to the vendor (unless facts have changed) as well as the available work-
arounds or patches that have been made available by the vendor or Conviso Security Labs. This
advisory will be coordinated with the vendor and will be issued at the time that a fix is available. The
advisory release will be written by Conviso Security Labs and will be approved by the Research &
Development Manager and the Operations Manager.

Task Timeline Comments

Security Advisory Draft

Day 1 N/A
development

Conviso IT Security’s Customers will be notified effective immediately the

Day 2
customers notified conclusion of Security Advisory draft version.

Vendor notified (first Vendor will be notified effective immediately the

Day 2
attempt) conclusion of Security Advisory draft version.

Vendor notified (second A second contact attempt will be made 10 days after the
Day 12
attempt) initial one if no response is received from the vendor.

Vendor notified (third A third contact attempt will be made 20 days after the
Day 22
attempt) initial one if no response is received from the vendor.

Vendor notified (final A third contact attempt will be made 30 days after the
Day 32
attempt) initial one if no response is received from the vendor.

A timeline of 60 days will be provided to vendor’s effort

Publish the Security
Day 62 to provide a patch and/or workaround to address the
Advisory
related vulnerability.

6. Timeline
All vulnerabilities will be disclosed to the public 90 days after the initial report, regardless of the
existence or availability of patches or workarounds from affected vendors. Extenuating circumstances,
such as active exploitation, threats of an especially serious nature, or situations that require changes to
an established standard may result in earlier or later disclosure.

In a common fashion we intend to follow a timeline composed by 60 days from the vulnerability
identification and Security Advisory public availability which we understand that is a acceptable
deadline for a large organization to meet.

Conviso IT Security | Responsible Disclosure Policy! 2