Vulnerability Disclosure Policy
White Oak Security (referred to as White Oak in this policy) often finds critical security bugs or vulnerabilities in third-party code and systems, including vendor and open-source software. We believe vendors, as well as security researchers, must act responsibly when it comes to vulnerability disclosure to see these issues promptly fixed and to inform the community at large so they are able to protect themselves with patches and updates to their systems. White Oak’s approach is based on Google Project Zero’s policy and establishes a 90 -day disclosure deadline.
When we discover security vulnerabilities in third-party or open-source products, a technical description of the issue is made available to the relevant vendor or open-source project. The manner in which that description is provided is dependent on a number of factors including client best-interest, impact to the community, vendor/project disclosure process, and a variety of other factors.
Our expectation is that the developer will fix the security vulnerability within ninety (90) days. After 90 days White Oak may release details about the vulnerability in a manner that minimizes that harm of the flaw and encourages further detection of these vulnerabilities. The vendor may agree to publish details at an earlier date if they want to align disclosure to an official security bulletin release, if the technical details are already public due to development practices, or if a fix has been implemented in the affected product. White Oak may hold off on publishing details of the vulnerability after 90 days if we feel there are reasons to do so.
At the time of 3rd party notification, an initial vulnerability report is drafted which includes the following statement:
“This bug is subject to a ninety (90) day disclosure deadline. After ninety (90) days have elapsed or a patch has been made broadly available (whichever is earlier), the bug report may be published in order to help users secure their systems.”
White Oak performs responsible disclosure via the following steps:
- We attempt to establish a secure communication channel with the vendor regarding the vulnerability.
- White Oak then shares a technical document detailing the discovered vulnerability as well as a high-level remediation recommendation to help the vendor understand the underlying risk.
Initial outreach in order to establish a secure communication channel is attempted first via official security disclosure mechanisms provided by the vendor (typically a security or disclosure email address), second via direct email to potentially relevant contacts at the vendor, and third via social media (using direct communication not public channels). Finally, if all other outreach fails, we will reach out by calling vendor’s general office phone number.
No sensitive vulnerability details are sent until a secure communications channel has been established. During this initial communication, a mutually agreed upon communications channel is established and the vendor is asked to provide a primary point of contact to work with White Oak.
Once a secure communication channel has been established, the technical details of the vulnerability will be provided with relevant supporting information and evidence. The goal is to provide the vendor with the information necessary to understand, reproduce, and (hopefully) fix the vulnerability. This information may include detailed exploitation information, proof of concept code, and any special replication instructions that may be required. White Oak may also assist in testing vendor-supplied patches to confirm that the original issue has been corrected. Our communication with the vendor will also include our intent of publishing the vulnerability within 90 days. White Oak will also publish the vendor’s resolution or workaround and, if that resolution is ready within 90 days, it will be published with the original disclosure. If it is available later White Oak will publish the resolution when available.
White Oak will perform reasonable efforts to reach the vendor team and provide vulnerability information throughout the 90-day period; however, if the vendor could not be contacted, becomes unresponsive, does not fix the reported issue within the 90-day period or request a reasonable exemption, or does not consider the reported issue to be a security risk, White Oak may begin a quicker disclosure process.
Beyond 90 Days
The goal of this policy is to assist the broader community with knowledge to secure their systems; therefore, White Oak may extend the disclosure of vulnerabilities beyond the 90 days if the vendor is actively working on a resolution or if in our reasonable discretion a White Oak client may be exposed to undue risk by our disclosure prior to the vendor’s resolution.
Third-party and open-source vulnerabilities that are deemed disclosable are published on the White Oak Security blog. These vulnerability disclosures may include vulnerability details, impact, replication steps, and in certain cases, proof-of-concept code to replicate the issue. Any responses or direction from the vendor around mitigation steps and/or a software patch may be provided within the disclosure. White Oak additionally maintains a public GitHub repository of all public vulnerability disclosures.
If a vulnerability in a third-party or open-source product is discovered during a paid engagement, White Oak provides the client with the relevant vulnerability information (including the technical details, steps to reproduce, etc.) via our standard reporting.
White Oak may choose to notify relevant third-party vendors of the existence of vulnerabilities discovered during security testing engagements if we deem this to be an effective path to remediation or the vulnerability has the potential to impact a large number of end users.
White Oak limits the content of any notification to the existence of the vulnerability in question and will not provide any specific data about the client or any information that could be used to identify the client.
The goals of this policy and White Oak’s approach to disclosure are to improve the overall security for the broader community. This is not an attempt to extort money, create business opportunities, or obtain information from any company or individual. If anyone that we communicate with regarding a vulnerability in their solution wants to work with White Oak in some more formal capacity that’s wonderful….. but there is no expectation.
This policy only applies to research conducted and published by White Oak. We are not responsible for any personal research and disclosure conducted by our employees in their own name.