When Assura, Inc. (hereinafter “Assura”) discovers a vulnerability in a commercially available product or solution, Assura adheres to the following policy on vulnerability notification and remediation, harm reduction, and timeline for release to the public.
Vulnerability Notification and Remediation
Assura will notify the vendor’s security contact (if available) or technical support as soon as possible after validating that the vulnerability is due to the product’s code or default configuration.
Assura will provide a full description of the vulnerability in question, steps for exploitation, and proof-of-concept (if available) via secure (encrypted) channels, if available.
If the vendor does not issue CVE numbers or have an associated CVE Numbering Authority (CNA), Assura will work with third-party coordinators such as Bugtraq or a Root CNA to reserve a CVE number.
Vendors contacted by Assura for vulnerability notifications should assume benevolence.
Assura makes every attempt to prevent disclosure of a vulnerability without adequate notification and coordination with vendors to reduce harm to the vendor’s reputation and to the vendor’s clients.
Vendors who participate in the vulnerability disclosure process may request that vulnerability details that could lead to wide-spread exploitation (e.g., working exploit code/proof-of-concept) be withheld and Assura will respect that request. However, Assura will release a notification to the public regarding the vulnerability’s existence and that proven exploits do exist.
Assura attempts to reduce risks by selecting reasonable disclosure deadlines as set forth below.
Assura notifies the vendor as soon as possible but not more than two business days after finding and validating the vulnerability.
Assura waits 5 business days from the date of the initial notification to receive a response from the vendor before contacting a third-party coordinator or Root CNA to assist with the disclosure of the vulnerability to the vendor.
Assura waits 90-days from the date of the initial notification to release detailed vulnerability information via the third-party coordinator or Root CNA.