Neohapsis researchers and consultants regularly identify vulnerabilities in vendor-provided products during research and client engagements. Neohapsis will follow this responsible disclosure policy for identified vulnerabilities.
When a security vulnerability or issue by a Neohapsis researcher that specifically relates to a vendor product or family is identified,
- Attempt to contact the appropriate vendor via email and telephone and expect a vendor acknowledgement of the notification within seven days. To ensure confidentiality, integrity and authenticity of communications, a PGP public key will be provided in this initial contact attempt, and this will be used to encrypt/sign all subsequent communications including all vulnerability details.
- Subsequently provide full details of the identified vulnerability including all relevant data, code and information needed to reproduce and understand the vulnerability.
Neohapsis will then expect:
- The vulnerability to be remediated within 30 days of vendor acknowledgement OR to receive a reasonable statement on why the issue cannot be remediated in this timeframe.
- To be provided with regular updates on the status of the remediation efforts throughout the remediation process.
Neohapsis understands that valid reasons may exist for vendors not being able to remediate issues within the 30-day window, and if a good faith effort is being made on the progress of remediation, the vulnerability disclosure will be delayed. If, at the end of 30 days, the vendor does not provide a reasonable statement on why a vulnerability cannot be remediated, then Neohapsis will release a limited advisory including mitigation strategies to protect users and consumers.
When remediation is completed and verified, Neohapsis and the vendor will jointly release the advisory on Neohapsis website and on public security mailing lists.
Note: This policy does not preclude any client confidentiality or non-disclosure agreements, where relevant client agreements take priority.