Coordinated Vulnerability Disclosure (CVD) Policy

At Redline Cyber Security, we are committed to the principles of Coordinated Vulnerability Disclosure (CVD) in alignment with industry best practices and international standards (like those from CERT/CC, Rapid 7's, Google's, ZDI's) and ISO standards ISO 29147 and ISO 30111). We focus on clear and ethical handling of vulnerabilities to improve cybersecurity.

Our approach is centered around responsible handling and disclosure of vulnerabilities to enhance overall cybersecurity.

Consistent with these best practices, Redline Cyber Security generally aims to publish detailed advisories about newly identified vulnerabilities around 60 days after our initial private disclosure attempts. This timeframe is subject to modification based on specific circumstances, including those that may necessitate a deviation from standard guidelines. These advisories will be shared through our official channels, including the Redline Cyber Security blog and social media platforms, and may involve media engagement depending on the nature of the findings.

Our policy acknowledges that the nuances of coordinated vulnerability disclosure vary with each case, influenced by diverse factors. Redline Cyber Security's foremost priority is to facilitate the resolution of vulnerabilities and to inform affected parties about the associated risks. In line with these objectives and our guiding principles, we recognize various categories of vulnerabilities, each requiring tailored disclosure guidelines to ensure effective and responsible communication.

1. Initial Vendor Contact and Notification

Upon discovering a potential security vulnerability in a vendor's product or system, our team will conduct thorough verification to confirm the issue and assess its impact. We will privately report the vulnerability to the affected vendor, using their preferred reporting channels ("responsive organization"). This report will include a detailed description, potential impact, and steps to reproduce the issue.

  • After 15 days we will report the vulnerability to a CERT Coordination Center (such as CERT/CC)
  • If the affected vendor has not acknowledged the initial disclosure by this time, Redline Cyber Security will assume the vendor to be a "non-responsive organization". An auto-reply message does not count as a response.

3. Collaborative Engagement with the Vendor

For responsive organizations, we will maintain an open line of communication with them, providing any necessary assistance or additional information to aid in their understanding and resolution of the issue.

4. Negotiating Disclosure Timelines

A typical timeline of approximately 60 days from the initial report is proposed for the vendor to investigate and remediate the vulnerability. This period may be adjusted based on the complexity or severity of the issue.

  • During this 60 day window, Redline Cyber Security expects the vendor will provide a solution and make any patch or update available for affected parties.

6. Encourage Timely Release of a Fix

Throughout the process, we actively encourage the vendor to develop and release a fix or patch for the vulnerability. We maintain regular communication to monitor their progress and offer any necessary assistance.

  • If the vendor is doing their best to complete this work within 60 days, a 30-day extension may be granted at the sole discretion of Redline Cyber Security.

7. Preparation for Public Disclosure

Following successful mitigation, we will coordinate with the vendor to prepare a joint public disclosure. This includes the timing and content of the announcement, ensuring all relevant information is accurately conveyed.

8. Public Disclosure and Advisory Publication

Public disclosure will typically occur around 60 days post-initial report or after the issue has been addressed, in line with the negotiated timeline.

  • If the established CERT coordination center (such as CERT/CC) will not issue an advisory, the vulnerability will be published to a public forum that allows community validation (such as Full-Disclosure mailing lists, Exploit-DB, Packet Storm) along with Redline Cyber Security official channels including the Redline Cyber Security blog and social media platforms and may involve media engagement depending on the nature of the findings.

9. Review and Feedback Incorporation

Post-disclosure, our team will review the process to identify areas for improvement and integrate feedback for future disclosures.

10. Ethical and Legal Considerations

Throughout the discovery, reporting, and disclosure process, we adhere to the highest ethical standards, ensuring no legal boundaries are crossed and that the privacy and operations of the vendor and their users are respected.

Vulnerabilities in Unmaintained Systems: These include issues found in outdated or abandoned software, or in systems maintained by organizations that do not respond to disclosures (non-responsive organizations).

  • Redline Cyber Security will publish vulnerability details 45 days after providing CERT/CC vulnerability details, or on a timeline that is agreed upon with CERT/CC

Feedback and Inquiries

Please share any thoughts on this coordinated vulnerability disclosure policy or ask us questions at cve@redlinecybersecurity.com