This document was last updated on April 13, 2022
This disclosure policy ("Policy") describes how Fluid Attacks ("Fluid Attacks", "we", "us" or "our") discloses third-party product vulnerabilities found by our Offensive Team.
This Policy does not apply to vulnerabilities found for customers as part of the Continuous Hacking service, unless there is explicit approval, as they are covered by a Non-Disclosure Agreement.
Fluid Attacks' commitment is to find all vulnerabilities and report them as soon as possible. In order to accomplish this, we adhere to the ISO/IEC 29147:2018 and ISO/IEC 30111:2019 standards, which describes the accepted responsible disclosure and vulnerability handling guidelines to ensure the maximum benefit for vendors, customers and the community in general. This includes:
Providing the maximum level of detail on the vulnerabilities found in a way that the vendors are able to reproduce the problem.
Ensuring coordinated disclosure of the vulnerabilities with the affected vendors, minimizing the damage that can occur with early disclosures.
This leads to an overall risk reduction for the users.
Fluid Attacks will apply this Policy to disclose third-party product vulnerabilities to whom we will issue CVE IDs and that are not in the scope of another CNA (CVE Numbering Authority).
The vulnerability types that we would process are the ones defined in our findings classification. However, vulnerabilities that don't fit on this classification will be also reviewed if there is an evidenced risk.
Fluid Attacks is always looking for vulnerabilities. Once our team finds a new unpublished vulnerability, we will proceed as follows:
An initial report is created with all the details of the vulnerability and with any applicable proof of concept.
If the vulnerability is found through our Continuous Hacking service, it will be reported only to the affected customer via our platform. Moreover, if this vulnerability affects a third-party product, we will proceed to ask for the customer's consent to send the report to the product vendor.
If the vulnerability is found by our Research Team in a third-party product, the report will be sent to the affected vendor.
A new advisory draft is created on our Advisories page containing only the affected product, the report's current status and the timeline. We will update it at each relevant event around the vulnerability (vendor reply, patch availability, proof of concept availability, in-the-wild exploitation indicators, etc.).
We will wait up to five (5) days for the vendor to acknowledge the report. If there is no response in that time, we will proceed with our Responsible Disclosure process.
If the vendor acknowledges the report but there are no updates on the issue after fifteen (15) days, we will proceed with our Responsible Disclosure process.
Otherwise, we can arrange a coordinated vulnerability disclosure with the vendor. We suggest this to be done in no more than ninety (90) days after the discovery.
Fluid Attacks also reserves the right to disclose the vulnerability at any time in cases where early disclosure would provide benefits to stakeholders.
Vulnerability disclosure is performed according to the parameters described above. The process is as follows:
The advisory draft on Advisories will be updated with the details of the vulnerability and any relevant proof of concept.
If necessary, a new CVE will be issued.
The advisory will be published to relevant public email lists, social media or blog posts.
If you would like to contact us to learn more about this Policy or to discuss any matter related to it, please send us an email to [email protected].