At Context we are committed to ensuring and improving the security of our clients. Whether for clients or our own purposes we regularly carry out independent security audits and vulnerability research against third-party software and hardware products. Where critical security vulnerabilities are identified, we will inform the affected vendors so that they can fix the issues and improve the security of the product for all of their users. The end goal of all of our research is the same: improving the security of whatever it is we are looking at. We do publicise our more interesting research in order to highlight the importance of security, following the issue of a vendor’s patch.
This statement forms our disclosure policy, to which Context will adhere for the disclosure of vulnerabilities to vendors and to the general public. This policy only covers vulnerabilities that have been identified outside of client contracts and engagements. Where vulnerabilities are identified during a client engagement, Context will work with the client, and their requirements, throughout the disclosure process. Our Responsible Disclosure policy is designed to allow for vulnerabilities to be disclosed and fixed by vendors whilst minimising the risk that the vulnerability poses to our clients and to other users.
Whilst industry time frames for publicly disclosing vulnerabilities after informing the vendor vary wildly, Context has chosen to take a flexible approach to this. We believe that a 90 day grace period provides an adequate amount of time for a vendor to replicate, fix and distribute a patch for the majority of vulnerabilities. However, where vendors reasonably require more time to develop and distribute a fix this shall be agreed up front, as we understand that a fixed timescale is not always achievable for updating certain classes of products. Where vulnerabilities critically affect the security of our clients, with the vendor’s written permission Context may choose to disclose details of the vulnerability to affected clients and trusted CERTs, always under NDA, before the end of the grace period so they may prepare mitigations to protect themselves. Where vendors issue a fix before the agreed grace period, Context will allow 14 days for dissemination of the fix before publishing details of the vulnerability.
When disclosing issues to a vendor, Context will make every reasonable attempt to contact the vendor with details of the vulnerability. Where vendors are unresponsive, Context may elect to disclose details of the vulnerability in accordance with the above time scales.
Exceptions to this policy may arise, in which event Context will work with the vendor on a case by case basis.
Details of a number of previously identified vulnerabilities can be found on our whitepapers and blog pages. We endeavour to review, and if deemed appropriate, amend this policy regularly. Please feel free to contact us for more details at ZeroDay@contextis.com.