Numorian Coordinated Vulnerability Disclosure Policy

At Numorian, we are committed to safeguarding our clients, partners, and the broader digital ecosystem. We believe that transparency and collaboration are essential for improving overall cybersecurity. This Coordinated Vulnerability Disclosure Policy outlines how we handle reporting and disclosing vulnerabilities found in commercial products and open-source software during our penetration tests and research.¹

Scope and Process

This policy applies to any vulnerabilities discovered by Numorian during penetration testing or security research, when such reporting authorized under the applicable NDAs. Upon discovery, we document and assess the vulnerability, then work directly with the affected vendor or maintainer to provide them with the necessary details for remediation. Our goal is to protect users by ensuring that vulnerabilities are addressed, and users are able to take the necessary steps to protect themselves.

Disclosure Timeline and Mitigating Circumstances

Our standard timeline for public disclosure of a vulnerability is 90 days from the date of discovery. In cases where additional time is required due to complex remediation efforts or other mitigating circumstances, if necessary and provided a justification for the delay, we may extend this timeline. Our overriding objective remains to protect end users, by ensuring that vulnerabilities are addressed properly, or users notified so that they are able to take mitigating steps absent an update from the vendor.

Should we learn, or have a reasonable belief, that a vulnerability is known or easily discovered by malicious actors, this timeline may be modified, up to and including immediate public release.

User-Centric Approach

Our CVD Policy is designed with the end user in mind. We believe that keeping users informed, even if a fix is not yet available, is vital for allowing them to make informed security decisions. Unlike some older “Responsible Disclosure” models, which can inadvertently prioritize vendor interests over user protection, our approach ensures that the needs of the users come first. (For more context on our view, please see Responsible Disclosure is Wrong.)

Every decision made, both in regard to timeline and details released, will be based solely on what is in the best interest of users.

FAQ

Q: Why do you disclose vulnerabilities even if there isn’t a fix available?

A: Transparency is critical for user safety. By informing users about potential vulnerabilities, they can take steps to mitigate risks while the vendor works on a fix. Our priority is to ensure users are as protected as possible.

Q: What is the difference between Coordinated Vulnerability Disclosure and Responsible Disclosure?

A: While both approaches aim to handle vulnerabilities carefully, our Coordinated Vulnerability Disclosure model is designed to put the interests of the users first. We have found that older Responsible Disclosure models can sometimes prioritize vendor concerns over user safety, which is why we follow a user-centric approach.

Q: Why is there a maximum of 90 days for disclosure?

A: The 90-day disclosure window is a balance between giving vendors adequate time to remediate vulnerabilities and ensuring that users are not left in the dark about potential risks. This timeframe is widely recognized in the industry as an appropriate period for coordinated disclosure, with flexibility for mitigating circumstances as needed.

Q: What happens if a vendor fails to address a vulnerability within 90 days?

A: In cases where remediation has not been completed within 90 days, we will re-engage with the vendor to assess the situation. If necessary, and after considering all mitigating factors, we will move forward with public disclosure to ensure that users are informed and can take appropriate precautions.

Questions?

At Numorian, our Coordinated Vulnerability Disclosure Policy reflects our commitment to user protection and responsible cybersecurity practices. By working collaboratively with vendors and being transparent about potential risks, we strive to enhance the overall security posture of the digital community. If you have any questions or need further clarification about our CVD Policy, please feel free to contact us.