Vulnerability Disclosure Policy
Bishop Fox takes security issues very seriously. We are committed to addressing and reporting any identified security issues through a coordinated and constructive approach. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. We adhere to the industry standard 90-day disclosure deadline. We notify vendors and our clients of vulnerabilities immediately, with details shared in public after 90 days, or sooner if the vendor releases a fix before the end of the timeline.
That deadline can vary in the following ways:
- If a deadline is due to expire on a weekend or U.S. public holiday, the deadline will be moved to the next workday.
- Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
- When we observe a previously unknown and unpatched vulnerability (a “zero-day”) in software under active exploitation, we believe that more urgent action—within seven days—is appropriate. The reason for this is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts risk being compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information or a pre-disclosure notice. As a result, after seven days have passed without a patch or advisory, we will support researchers making details available so that users can protect themselves.
CVEs are an industry standard for identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that extend beyond our deadline, we ensure that a CVE has been pre-assigned.
If a vendor is unresponsive, Bishop Fox will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor.
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances. Bishop Fox is committed to treating all vendors equally. This policy aligns with Bishop Fox desire to improve industry response times to security bugs but also results in more flexible timelines for bugs marginally over deadline.
View ongoing Bishop Fox advisories on CVEs our researchers have authored here.
Reporting Security Issues
If you would like to report a security vulnerability in a Bishop Fox asset, please write to [email protected].