Vulnerability Disclosure Policy
Redfox Cyber Security Inc. (referred to as Redfox Security in this policy) frequently uncovers critical security flaws or vulnerabilities in third-party code and systems, including vendor and open-source software. We advocate for responsible action from vendors and security researchers regarding vulnerability disclosure, aiming for prompt resolution and community awareness through patches and system updates. Redfox Security adopts an approach aligned with Google Project Zero’s policy, setting a 90-day disclosure deadline.
Once we detect security vulnerabilities in third-party or open-source products, we provide a technical report to both vendors and open-source projects involved. The method of disclosure depends on factors like client interests, community impact assessment protocols and any other relevant considerations.
We expect the developer to address the security vulnerability within ninety (90) days. If not resolved within this timeframe, Redfox Security reserves the right to release details about the vulnerability in a manner that mitigates its potential harm and encourages further detection of such vulnerabilities. However, vendors may opt to disclose details early if they wish to align their announcement with an official security bulletin release, if technical details are already public due to development practices, or if a fix for affected products has already been implemented. Redfox retains the discretion to delay publishing vulnerability details beyond the 90-day mark if deemed necessary.
Contact Steps
Redfox Security follows a responsible disclosure process outlined below:
- We endeavour to establish a secure communication channel with the vendor to discuss the vulnerability.
- Redfox Security shares a technical document outlining the discovered vulnerability along with a high-level recommendation for remediation to aid the vendor in understanding the risk involved.
Our initial outreach seeks to establish secure communication channels through official security disclosure mechanisms provided by the vendor, followed by direct email communication with potentially relevant contacts, and if necessary, outreach via social media channels (using direct messaging, not public channels). If all other methods fail, we may resort to contacting the vendor’s general office phone number.
Sensitive vulnerability details are not shared until a secure communication channel is confirmed. At this initial point of contact, both parties establish an open communication channel and designate one or more points of contact in Redfox Security for collaboration purposes.
Once a secure channel is established, Redfox Security provides the vendor with detailed vulnerability information, including supporting evidence and relevant details for understanding, reproducing, and ideally fixing the vulnerability. This information may include exploitation details, proof of concept code, and any specific replication instructions. Redfox may assist in testing patches provided by vendors to ensure the issue has been effectively addressed. Our communication also includes our intent to publish the vulnerability within 90 days. If the vendor’s resolution or workaround is ready within this timeframe, it will be included in the initial disclosure. Otherwise, it will be published separately when available.
Unresponsive Contact
Redfox Security makes reasonable efforts to contact the vendor throughout the 90-day period. However, if the vendor remains unresponsive, fails to address the reported issue within the stipulated timeframe, or disputes the severity of the reported vulnerability, Redfox Security may expedite the disclosure process.
Beyond 90 Days
Redfox Security may extend the disclosure period beyond 90 days if the vendor is actively working on a resolution or if disclosing the vulnerability prematurely could expose Redfox Security’s clients to undue risk.
Disclosure
Vulnerabilities deemed disclosable are published on the Redfox Security blog, including details such as impact, replication steps, and in some cases, proof-of-concept code. Any mitigation steps or software patches provided by the vendor may also be included in the disclosure. Redfox Security maintains a public GitHub repository of all disclosed vulnerabilities.
Client Communication
Redfox Security will notify the client immediately of any vulnerabilities discovered through paid engagement, providing technical details and steps to replicate them through standard reporting channels. Redfox Security may also notify relevant third-party vendors if deemed necessary for effective remediation while ensuring client confidentiality.
Goal
The overarching goal of this policy and Redfox Security’s approach to disclosure is to enhance overall security for the community. It is not driven by financial motives or a desire for business opportunities. While collaboration with Redfox Security is welcomed, there is no expectation for formal engagement from those notified about vulnerabilities in their solutions.