Purpose
The present document aims to limit the responsabilities of the involved parties during the discovery of a weakness or vulnerability, to face an effective solution to the problem for those companies involved minimizing the risks of a publication without the consent of the software ISV.
Process
The resolution process is comprised of the following stages:
- DISCOVERY: GOODFELLAS finds what it deems a potential vulnerability.
- NOTIFICATION: GOODFELLAS notifies the ISV sending the necessary informacion about the bug. The ISV confirms it has received the said notification therefore accepting this policy.
- INVESTIGATION/VALIDATION: The ISV performs a deeper investigation about the report GOODFELLAS produced and tries to reproduce or verify the bug on their own or with assistance from the GOODFELLAS research team.
- RESOLUTION: The ISV produces and publishes a bug solving or mitigating the problem.
- PUBLICATION: The ISV and GOODFELLAS coordinate a join public disclosure of the vulnerability, its implications and the solution.
Procedure
Following we describe in more detail the stages enumerated earlier, y this document.
Stage 1: DISCOVERY
GOODFELLAS produces a report with at least the following information:
- Internal ID
- Introduction
- Summary
- Impact
- Workaround
- Timeline
- Credits
- Technical details
This document should be enough for the ISV to identify and evaluate the vulnerability and reproduce it.
NOTE: According to the affected ISV, the type of vulnerability and its criticity level, our team might continue directly publishing the bug.(Stage 5)
Stage 2: NOTIFICATION
Firstly, the GOODFELLAS team looks for a suitable email address at the ISV's web page, if none is found mails will be sent to:
security@
secure@
security-alert@
secalert@
support@
info@
sales@
A non-automated answer is expected within the next 7 days to confirm the reception of the report and the commitment to investigate the problem.
NOTE: the said response implicitly accepts the terms of this policy.
Stage 3: INVESTIGATION/VALIDATION
During this period, the ISV should conduct an investigation about the vulnerability and if necessary reproduce it to understand how and what of its products are affected (other than the ones already pointed out by our Team).
GOODFELLAS also expects the ISV to contact the research team for updates of the status of the problem and define a publication schedule. In case GOODFELLAS does not receive any notification for 30 days, the team reserves the right to unilaterally publish the vulnerability.
Stage 4: RESOLUTION
The resolution of a vulnerability consists of the following:
- a patch release
- a workaround
- another alternative resolution method
The ISV must notify GOODFELLAS of the proposed solution since it will be included in the vulnerability disclosure document. In case the ISV cannot solve the problem in a timely manner, GOODFELLAS reserves the right to unilaterally publish the vulnerability
Stage 5: PUBLICATION
The ISV will work with the GOODFELLAS research team to schedule a join publication date and define the level of detail the said publication will have. The ISV will provide to GOODFELLAS the vulnerability CVE ID.
The ISV will be able to ask for a "grace period" up to 30 days to GOODFELLAS, while that time no information will be release about "the vulnerability". This will allow the customers (of both ISV and GOODFELLAS) to patch their systems.
The ISV must give proper credits to GOODFELLAS, whether with a public advisory or a link in their website, for reporting the vulnerability during the notification stage.
revision.v2
