Public security advisories released by the consultants of Blaze Information Security
Last modified: 28 July 2016
Blaze Information Security will try to contact the vendor via commonly established vulnerability disclosure channels such as security@vendor, security-alert@vendor, psirt@vendor and similar e-mail addresses. Should this contact attempt not produce any response, the research team will try to contact the vendor via telephone.
In case of successful receipt of the vulnerability information (i.e., e-mail did not bounce) but no response from the vendor, Blaze Information Security will attempt a second contact with the vendor 7 days after the initial notification. If the vendor is not responsive in 15 days after the second attempt, details about the vulnerability will be made public regardless of the existence of a patch or a workaround to mitigate the issue.
If the vendor does not have a well-established vulnerability disclosure channel, Blaze Information Security will ask CERT/CC to intermediate the process. If this last attempt fails, Blaze reserves the right to publicly disclose all relevant information regarding without any further warning to the vendor.
Whenever possible Blaze will send the details about the vulnerability via e-mail, encrypted with PGP. Our public key can be found in the appendix [1].
Vendors are expected to provide a patch for the vulnerability in 45 days. Under some exceptional circumstances this grace period can be extended up to 90 days, depending on the severity of the vulnerability and the difficulty to have it fixed. In case a patch is not available by the end of the established time frame, details of the vulnerability will be publicly disclosed.
We strongly believe security advisories have to contain substantial information to reproduce the vulnerability. This includes the presence of a working proof of concept in the advisory. While at least a simple proof of concept will be made available in most cases, it is at the discretion of Blaze Information Security to disclose weaponized exploits with its advisories.
[1] Public key: https://pgp.mit.edu/pks/lookup?op=get&search=0x09BDAA7993E7AE65