Cybersecurity vulnerability disclosure policy

Cybersecurity vulnerability disclosure policy

This policy outlines the "BiZone" LLC (BI.ZONE) procedure for disclosing information on cybersecurity vulnerabilities to affected vendors. It satisfies both best practices and de-facto standards in vulnerability disclosure

General provisions

  • BI.ZONE follows the 90 + 30 vulnerability disclosure timeframe. Ninety (90) days are allowed to remedy the vulnerability, and additional (optional) thirty (30) days may be allowed for the distribution of the security update to third parties.
  • Within thirty (30) days, BI.ZONE may publish a vulnerability demonstration video without disclosing technical information about the vulnerability. The date of such publication shall be agreed with the vendor.
  • In the event BI.ZONE is unable to contact a vendor using all reasonable means, then, upon the expiry of the 15 business day period from the initial attempt to contact the vendor, BI.ZONE may publish information about the vulnerability in a public advisory.
  • In the event BI.ZONE sees an active exploitation of a detected, previously unknown vulnerability, BI.ZONE reserves the right to publish the information about it after seven (7) days from the initial attempt to contact the vendor, even if no security update has yet been released for it.
  • If a vendor is unable to release a security patch to close a particular vulnerability within the specified timeframe or decides not to do so at all, BI.ZONE reserves the right to publish a summary of the dialog with that vendor regarding the specified security problem.

Vendor notification

In a quick and responsible manner, BI.ZONE shall notify the appropriate product vendor about a security gap in their product(s) or service(s). Simultaneously with the vendor notification, BI.ZONE may distribute the rules for filtering or detecting attempts to exploit the detected vulnerability to its customers via secured channels.

Information disclosure timeframe

BI.ZONE follows the standard 90 + 30 days timeframe for information disclosure. We notify vendors of vulnerabilities immediately. Information about a vulnerability is published ninety (90) days from the vendor notification date, or sooner if the vendor releases a patch. At the vendor’s request, the vendor may be allowed additional thirty (30) days after the release of security updates, so third parties have the time to receive and install the security update. This deadline can vary in the following ways:

  • BI.ZONE will make its best efforts to contact the affected vendors using publicly available methods. If a vendor fails to respond within ten (10) business days following the first notification, BI.ZONE may rely on an intermediary to try to establish contact with the vendor. If BI.ZONE exhausts all reasonable means to contact the vendor, then BI.ZONE may publish the information about the vulnerability in a public advisory fifteen (15) business days after the initial contact attempt.
  • If the deadline falls on a weekend, it will be moved to the next nearest business day.
  • If, prior to the expiration of the 90-day deadline, a vendor notifies us that it plans to release a patch on a specific day no later than fourteen (14) days after the deadline, we shall delay the publication of the information until such patch is made available.
  • The additional thirty (30) days shall not be granted to the vendor to deliver the patch to third parties if such patch was not ready within the 90-day timeframe.
  • When we come across a previously unknown and unpatched software vulnerability that is being actively exploited ("0-day"), we believe that it is appropriate to take more urgent measures within a 7-day period. There is a reason for this special provision: with each day that a 0-day vulnerability remains unpatched and undisclosed to the public, the more devices or accounts may be subject to compromise. Seven days is a demanding deadline and may be too short for some vendors to update their products, but it should be enough to publish possible solutions, such as temporary disabling of the service, restricting access, or contacting the vendor for more information. Thus, if no patch or advisory on the vulnerability is released within the 7-day period, we will publish the details of the vulnerability so that the cybersecurity community can research it and users can take steps to protect themselves from its exploitation.
  • If a product vendor is unable to provide a security patch to close a particular security gap or decides not to do so, BI.ZONE will encourage that vendor to collaborate on publishing the details of the security gap and some effective workarounds to resolve the problem. We believe it is unethical to conceal information about a detected vulnerability because the vendor does not wish to address it. To maintain transparency into our communications with vendors, we plan to publish summaries of the communications we’ve had with vendors regarding issues of the nature described herein. We trust that this level of insight into our processes will allow the community to better understand some of the difficulties that vendors encounter when fixing high-impact bugs. BI.ZONE shall make all efforts to ensure that the vendors understand the technical details and severity of each revealed security gap.

Publication of information on vulnerability

BI.ZONE may dedicate a public webpage on its security blog which would display up-to-date information about the status of a vulnerability. No technical details of the vulnerability may be disclosed there until the set deadlines expire. BI.ZONE has the right to publish a vulnerability demonstration video on such a webpage without disclosing detailed technical information about the vulnerability. Such a video shall be agreed upon with the vendor in advance to ensure that no technical information is disclosed therein. The video must be published within thirty (30) days; the date of publication is coordinated with the vendor.