Vulnerability Disclosure Policy

At AmberWolf, security research is at the core of what we do. As part of our commitment to improving the security of our clients, as well as the wider technology ecosystem, we perform vulnerability research to identify and report vulnerabilities to software vendors. Our Vulnerability Disclosure Policy outlines our approach to responsibly disclosing vulnerabilities to ensure they are addressed effectively and in a timely manner.

We believe in an open and collaborative approach to vulnerability disclosure, prioritising the best interests of end users. Our primary focus is on ensuring that vulnerabilities are fixed quickly and transparently. We strive to work with vendors in a manner that encourages transparency and collaboration.

Disclosure Deadline

When we discover a vulnerability, we adhere to the following disclosure timelines:

  • We provide vendors with a 90-day window from the date of initial contact to address the reported vulnerability. This period allows the vendor sufficient time to develop and deploy a fix.
  • If the vendor releases a fix within the 90-day window, we will publicly disclose the vulnerability details to provide transparency and inform the community. If the vendor does not release a fix within the 90-day window, we will proceed with public disclosure of the vulnerability details.

Accelerated Disclosure for Actively Exploited Vulnerabilities

If we observe that the reported vulnerability is being actively exploited in the wild, we will adjust the disclosure timeline as follows:

  • We will reduce the disclosure window to 7 days from the date of discovery or from the date we become aware of active exploitation. This expedited timeline aims to protect users from imminent harm by ensuring a prompt response. Additionally, it allows us to publish details, including mitigation advice, to help users protect themselves in the absence of a vendor-supplied patch.

Communication and Coordination

We prioritise open and constructive communication with vendors. Upon discovering a vulnerability, we will:

  • Contact the vendor through their designated security contact or through other means available.
  • Provide a detailed report outlining the nature of the vulnerability, potential impact, and suggested mitigations.
  • Offer assistance and collaboration to help the vendor understand the issue and develop a solution.

Exemptions and Special Considerations

In certain cases, we may adjust the disclosure timeline based on factors such as:

  • The complexity of the vulnerability and the estimated time required for the vendor to develop a fix.
  • The potential impact on users and the severity of the vulnerability.
  • Any request from the vendor for an extension, provided that reasonable progress towards a resolution is being made.

Publication of Findings

Once the disclosure timeline has lapsed, or a fix has been released by the vendor, we will publish our findings on our website. This publication will include:

  • A detailed technical description of the vulnerability.
  • The timeline of discovery, reporting, and resolution.
  • The steps taken by the vendor to address the issue.

Policy Changes

AmberWolf reserves the right to modify or update this Vulnerability Disclosure Policy at any time. Any changes will be communicated through our website or other appropriate channels. Please note that this policy is intended as a guideline. The primary purpose is to establish a transparent process for the responsible disclosure of vulnerabilities and to facilitate effective communication with software vendors and the public.

Commitment to Responsible Disclosure

Our goal is to enhance the security of all users by responsibly reporting vulnerabilities. We believe that a transparent and collaborative approach benefits both vendors and the broader community.

For any questions regarding this policy, please contact [email protected].