About Us‎ > ‎

Responsible Disclosure Policy

Here's the RoninSec approach to vulnerability disclosure:

1. If you are our client and we discover a vulnerability in your systems whilst performing an assessment we will get your permission before reporting it to any software vendor or third party.

2. If we find a vulnerability in a system that we are using or accessing in the normal course of business activities or suspect one, we will notify the owner of the system

3. When we report a vulnerability to a vendor we will expect the vendor to:
a) acknowledge receipt of the vulnerability report
b) advise us of delivery date of the patch for the vulnerability
c) credit us with discovery of the vulnerability in the notification of the security patch

4. If the receipt of the vulnerability report is not acknowledged (after 5 tries) or a patch is not delivered within 365 days of the the vulnerability report we will go public with the vulnerability

5. If the vulnerable system is not remediated by the system owner within 90 days after notification and the system is critical national infrastructure, we will report the vulnerability to the relevant government authority.

Guidelines to vulnerability disclosure:
  • If we have found a specific technical vulnerability specific to your systems during an assessment we will not discuss the details of this vulnerability with anyone, as disclosure could reveal weaknesses to an attacker.
  • If we have found vulnerabilities in a system used by pretty much everyone in a similar configuration (e.g. shrink wrapped software or a consumer device in wide use) we will discuss the vulnerabilities in order to drive change.