Skip to content
Public security advisories released by the consultants of Blaze Information Security
Branch: master
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md
disclosure-policy.txt Added vulnerability disclosure policy Jul 28, 2016
porteus-kiosk-chrome-bypass.txt Fixed typo in the disclosure timeline. Mar 29, 2017
signal-advisory.txt Update public key fingerprint. Mar 24, 2019
telegram-advisory.txt Telegram's IDN homograph attack advisory. Mar 25, 2019

README.md

Security advisories

Public security advisories released by the consultants of Blaze Information Security

Vulnerability disclosure policy

Last modified: 28 July 2016

Contacting the vendor

Blaze Information Security will try to contact the vendor via commonly established vulnerability disclosure channels such as security@vendor, security-alert@vendor, psirt@vendor and similar e-mail addresses. Should this contact attempt not produce any response, the research team will try to contact the vendor via telephone.

In case of successful receipt of the vulnerability information (i.e., e-mail did not bounce) but no response from the vendor, Blaze Information Security will attempt a second contact with the vendor 7 days after the initial notification. If the vendor is not responsive in 15 days after the second attempt, details about the vulnerability will be made public regardless of the existence of a patch or a workaround to mitigate the issue.

If the vendor does not have a well-established vulnerability disclosure channel, Blaze Information Security will ask CERT/CC to intermediate the process. If this last attempt fails, Blaze reserves the right to publicly disclose all relevant information regarding without any further warning to the vendor.

Delivering the vulnerability report

Whenever possible Blaze will send the details about the vulnerability via e-mail, encrypted with PGP. Our public key can be found in the appendix [1].

What we expect from vendors

Vendors are expected to provide a patch for the vulnerability in 45 days. Under some exceptional circumstances this grace period can be extended up to 90 days, depending on the severity of the vulnerability and the difficulty to have it fixed. In case a patch is not available by the end of the established time frame, details of the vulnerability will be publicly disclosed.

Disclosure of proof of concepts

We strongly believe security advisories have to contain substantial information to reproduce the vulnerability. This includes the presence of a working proof of concept in the advisory. While at least a simple proof of concept will be made available in most cases, it is at the discretion of Blaze Information Security to disclose weaponized exploits with its advisories.

Appendix

[1] Public key: https://pgp.mit.edu/pks/lookup?op=get&search=0x09BDAA7993E7AE65

You can’t perform that action at this time.