This document was last updated on May 3, 2021
This disclosure policy ("Policy") describes how
("Fluid Attacks", "we", "us" or "our")
discloses third-party product vulnerabilities found by our Offensive Team.
Fluid Attacks' commitment is to find all vulnerabilities
and report them as soon as possible.
In order to accomplish this, we adhere to the
ISO/IEC 29147:2018 and
standards, which describes the accepted responsible disclosure and
vulnerability handling guidelines to ensure the maximum benefit
for vendors, customers and the community in general. This includes:
Providing the maximum level of detail on the vulnerabilities found in a way that the vendors are able to reproduce the problem.
Ensuring coordinated disclosure of the vulnerabilities with the affected vendors, minimizing the damage that can occur with early disclosures.
This leads to an overall risk reduction for the users.
Fluid Attacks will apply this Policy
to disclose third-party product vulnerabilities to whom we will issue
CVE IDs and that are not in the scope
of another CNA (CVE Numbering Authority).
The vulnerability types that we would process are the ones defined in our findings classification. However, vulnerabilities that don’t fit on this classification will be also reviewed if there is an evidenced risk.
Fluid Attacks is always looking for vulnerabilities.
Once our team finds a new unpublished vulnerability,
we will proceed as follows:
An initial report is created with all the details of the vulnerability and with any applicable proof of concept.
If the vulnerability is found by our Research Team on a third-party product, the report will be sent to the affected vendor.
A new advisory draft is created on our Advisories page containing only the product affected, the report’s current status and the timeline. We will update it at each relevant event around the vulnerability (vendor reply, patch availability, proof of concept availability, on-wild exploitation indicators, etc.).
We will wait up to five (5) days for the vendor to acknowledge the report. If there is no response in that time, we will proceed with our Responsible Disclosure process.
If the vendor acknowledges the report but there are no updates on the issue after fifteen (15) days, we will proceed with our Responsible Disclosure process.
Otherwise, we can arrange a coordinated vulnerability disclosure with the vendor. We suggest this to be done in no more than ninety (90) days after the discovery.
Fluid Attacks also reserves the right
to disclose the vulnerability at any time
in cases where early disclosure would provide benefits to stakeholders.
Vulnerability disclosure is performed according to the parameters described above. The process is as follows: