Last updated: September 5th, 2019
Kraken Security Labs routinely conducts research into the security of commonly used applications, hardware, and products. The research is done to educate and protect end users of such services and products. This policy outlines how Kraken Security Labs handles responsible vulnerability disclosure when we discover security vulnerabilities in third party products and services.
Kraken Security Labs will notify the appropriate vendor of a security flaw within their product(s) and/or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor web site. If such contact information is not posted, Kraken Security Labs will make a best effort to locate an appropriate contact medium. Once a formal or appropriate contact mechanism has been found, the pertinent information about the vulnerability will be securely transmitted to the vendor.
If the vendor fails to acknowledge the initial notification within five (5) business days, Kraken Security Labs will initiate a second contact to the vendor. If Kraken Security Labs exhausts all of the above means in order to contact the vendor, then Kraken Security Labs may issue a public advisory disclosing its findings fifteen (15) business days after the attempt at initial contact.
If a vendor response is received within the timeframe outlined above, Kraken Security Labs requests that the vendor specify a desired timeframe for remediation. Kraken Security Labs will allow the vendor up to ninety (90) calendar days to address the vulnerability with a patch. At the end of the deadline or sooner (if notified by the vendor), if the vulnerability has been patched, or if the vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, Kraken Security Labs will publish a publicly-available advisory including mitigation recommendations in an effort to protect end users.
Kraken Security Labs will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Kraken Security Labs may offer to work with that vendor to publicly disclose the flaw with some effective workarounds.
In the event that Kraken Security feels it is appropriate to immediately alert the general public of a vulnerability due to the risk or safety to the end user of a product or service then Kraken Security Labs shall simultaneously advise the vendor and the general public of its findings. In communication to the vendor Kraken Security Labs shall list the factors used in deciding to immediately publish its findings.