01642 06 11 11 Arrange Call

Vulnerability Disclosure Policy

How we work with vendors when disclosing vulnerabilities
The Vulnerability Disclosure Policy aims to educate vendors about vulnerabilities and reduce risks by developing patches or workarounds. It also aims to inform the information security community and the public about the vulnerability and the measures they can take to prevent exploitation.

Under this policy, North Infosec Testing Ltd will provide the vendor with a 14-day response period from the date of initial contact, during which North Infosec Testing Ltd will make three attempts to contact the vendor. Failure to respond within the 14-day period may result in North Infosec Testing Ltd disclosing the vulnerability to its clients.

North Infosec Testing Ltd will cooperate with the vendor by providing information or assistance to reproduce the vulnerability. The vendor is responsible for providing regular status updates on the resolution of the vulnerability. Failure to communicate for more than 30 days may result in public disclosure.

The vendor is encouraged to give credit to North Infosec Testing Ltd and the researcher who discovered the vulnerability. A joint public release or disclosure is also recommended.

The vendor is given a maximum of 90 days to release a patch, after which North Infosec Testing Ltd may consider public disclosure. If a third party discloses the vulnerability, North Infosec Testing Ltd will work with the vendor for immediate disclosure.

If the vulnerability is actively exploited, North Infosec Testing Ltd will work with the vendor to disclose it within seven days. Proof of concept code or technical explanation of exploitation of a critical vulnerability may be withheld for up to 14 days after public disclosure to allow organizations to protect themselves.