Vulnerability Disclosure Policy
At Tanto Security, we value the personal interests and growth of our consultants. As such, we allocate 20% of our consultants time to conduct vulnerability research on subjects and software of their interest.
During these research periods, vulnerabilities may be discovered. In these instances, Tanto Security will responsibly disclose these vulnerabilities to the vendors before making its information publicly accessible, adhering to our responsible vulnerability disclosure policy.
Tanto Security firmly believes in a reciprocal and accountable approach to vulnerability disclosure. It is our firm conviction that both vendors and researchers should conduct themselves in a responsible manner. Accordingly, Tanto Security adheres to a 90 + 30 days disclosure deadline. Where vendors are given 90 days to develop a reliable patch for reported vulnerabilities, and an additional 30 days after the patch's release to the users for the full disclosure of the vulnerability details.
Upon identification of a vulnerability in a vendor's software, we promptly inform the vendor providing all the required details for replicating the vulnerability. The 90-day countdown for the vendor to develop a reliable patch begins once the details are delivered.
In the absence of adequate updates from the vendor about the patching process during the 90-day time frame, Tanto Security will proactively attempt to communicate with the vendor requesting updates, up to three times throughout this period.
Upon the end of the 90-day period, or sooner if a fix is released by the vendor, we initiate a 30-day countdown for public disclosure of the identified vulnerability details. If the vendor fails to address the reported vulnerabilities within the initial 90-day time frame without providing a legitimate reason, Tanto Security will waive the 30-day extension and immediately release the details of the vulnerability at the conclusion of the 90-day period.
If either of the deadlines falls on a weekend or an Australian/US public holiday, the deadline will be shifted to the next business day.
If a vendor communicates to us prior to the completion of the 90-day deadline that a patch will be available within the next 14 days following the 90-day deadline, we might postpone the start of the 30-day public disclosure countdown until the patch is released. However, the total duration for vulnerability detail disclosure, including any extension, should not surpass 150 days.
Tanto Security retains the right to decline signing any document or Non-Disclosure Agreement, particularly those that may affect the 90+30 days disclosure deadline.
If reported vulnerabilities are overlooked by the vendor or deemed as features that do not need to be addressed, these may be immediately released to the public once the vendor has confirmed this evaluation.
If the vendor fails to provide a Common Vulnerabilities and Exposures identifier (CVE ID) for the reported vulnerabilities, Tanto Security retains the right to request a CVE ID for these vulnerabilities from the relevant authorities.
Despite these principles, Tanto Security reserves the right to adjust deadlines based on exceptional circumstances. We are committed to treating all vendors with equal rigor and fairness, and expect to be held to a similar standard.
Our policy aligns with our goal to enforce industry-wide promptness in addressing security issues. By asserting pressure for timely fixes, we aim to reduce the window for adversaries to exploit vulnerabilities, which in our view, leads to a safer internet environment for users.
Last updated: 19th July 2024