Vulnerability Disclosure Policy
Security Advisories released by OISSG will use the following set of points as guidelines:
1. Educate vendor:
The vulnerability disclosure is aimed to educate the vendor so that they can minimize the risk to their customers. The definition of a security vulnerability that we follow is "a flaw in a system that can make it behave in a manner that it is not expected to and could possibly result in the machine being attacked by a remote or local attacker".
OISSG will contact the vendor regarding the vulnerability in his product(s) or service(s) through mail on the contact address provided in his distribution package or available on the website. A period of 5 working days will be given for acknowledging our mail, during which the vendor should confirm the presence of the bug. After this confirmation, OISSG will provide sufficient time for the fix or a workaround to be announced before announcing the advisory to the security mailing list.
In case of no response from the vendor, a reminder mail will be sent to vendor giving him a period of 3 working days to acknowledge.
If the vendor denies the existence of the bug, he must clarify it with the OISSG research team, regarding the "false-alarm". Only after OISSG is confident that bug really does not exist in the product(s) or sevice(s), will the discussion be closed.
If the Vendor decides to release the patch with it's "routine" maintenance updates, then he should clearly state this to the OISSG team and also give an approximate time frame that he shall take in doing so.
2. Provide help:
The researchers at OISSG are willing to work with the vendor so that the vendor gets the possible impact clearly before the advisory is released. OISSG's research team has professionals who can provide with the solution or workaround for the bug found, in case the vendor needs help from us.
3. Release advisory:
OISSG will release the advisory as soon as the vendor announces a fix or workaround for the vulnerability found by us. This advisory will be posted on our website as well as to all the major security mailing list.
4. Format of the advisory:
The format and the details of the advisory is decided by the researchers at OISSG.
5. Special Cases:
If in some cases, another researcher/group discovers the same vulnerability on which the OISSG and the vendor are working on, then the date of release of the same shall be decided by the researcher/group and OISSG and it's members shall in no way be held responsible for the release.