SPI Labs Security Vulnerability Reporting Guide
This document outlines the policy and procedure followed by SPI Labs for the disclosure of security vulnerabilities. SPI Labs engineers will comply with the standard proposed by the Internet Engineering Task Force (IETF) for responsible security vulnerability disclosure. The goals of responsible disclosure include: 1 ­ Ensure that vulnerabilities can be identified and eliminated effectively and efficiently for all parties. 2 ­ Minimize the risk to customers from vulnerabilities that could allow damage to their systems. 3 ­ Provide customers with sufficient information for them to evaluate the level of security in Vendors' products. 4 ­ Provide the security community with the information necessary to develop tools and methods for identifying, managing, and reducing the risks of vulnerabilities in information technology. 5 ­ Minimize the amount of time and resources required to manage vulnerability information. 6 ­ Facilitate long-term research and development of techniques, products, and processes for avoiding or mitigating vulnerabilities. Parties involved in vulnerability disclosure There are 4 individuals or groups ("Parties") that may be involved during the entire process. The Parties are listed below: Vendor: The Vendor is an individual or organization who provides, develops, or maintains software, hardware, or services, possibly for free. Customer: The Customer is the end user of the software, hardware, or service that may be affected by the vulnerability. Reporter: The Reporter is the individual or organization that informs (or attempts to inform) the Vendor of the vulnerability. Note that the Reporter may not have been the initial discoverer of the problem. Coordinator: The Coordinator is an individual or organization who works with the Reporter and the Vendor to analyze and address the vulnerability. Coordinators are often well-known third parties. The use of Coordinators by other parties is not a requirement.

115 Perimeter Center Place, Suite 270, Atlanta, GA 30346 (t) 678.781.4800 (f) 678.781.4850 www.spidynamics.com

During the process, SPI Labs engineers will take the role of Reporter and/ or Coordinator, as defined by the IETF. Phases of responsible security vulnerability disclosure The vulnerability disclosure process is made up of 6 phases. One or more of the parties listed above may participate in any given phase. Listed below are the phases. 1 ­ Discovery Phase: One or more individuals or organizations discover the flaw through casual evaluation, by accident, or as a result of focused analysis and testing. In some cases, knowledge of the flaw may be kept within a particular group. A vulnerability report or an exploit program may be discovered "in the wild," i.e., in use by malicious attackers or made available for use and distribution. 2 ­ Notification Phase: A Reporter or Coordinator notifies the Vendor of the vulnerability ("Initial Notification"). In turn, the Vendor provides the Reporter or Coordinator with assurances that the notification was received ("Vendor Receipt"). 3 ­ Validation Phase: The Vendor or other parties verify and validate the Reporter's claims ("Reproduction"). 4 ­ Resolution Phase: The Vendor and other parties also try to identify where the flaw resides ("Diagnosis"). The Vendor develops a patch or workaround that eliminates or reduces the risk of the vulnerability ("Fix Development"). The patch is then tested by other parties (such as a Reporter or Coordinator) to ensure that the flaw has been corrected ("Patch Testing"). 5 ­ Release Phase: The Vendor, Coordinator, and/ or Reporter release the information about the vulnerability, along with its resolution. The Vendor may initially release this information to its customers and other organizations with which it may have special relationships ("Limited Release"). The Vendor or other parties may then release the information ­ possibly with additional details ­ to the security community. 6 ­ Follow-up Phase: The Vendor, customer, Coordinator, Reporter, or security community may conduct additional analysis of the vulnerability or the quality of its resolution.

115 Perimeter Center Place, Suite 270, Atlanta, GA 30346 (t) 678.781.4800 (f) 678.781.4850 www.spidynamics.com

Reporter Responsibilities
Policy and procedure during each of the 6 Phases Listed below are the policy and procedure SPI Labs will follow during each of the 6 phases of vulnerability disclosure. Discovery Phase The Reporter should always make a reasonable effort to ensure that the vulnerability is real. Notification Phase - Initial Vendor Notification 1 ­ The Reporter should make reasonable efforts to use the appropriate channels for notifying the Vendor of the vulnerability. a ­ The Reporter should attempt to notify the Vendor through the channels described in this section. b ­ If the Vendor is not accessible through those channels, then the Reporter may attempt to contact the Vendor through technical support. 2 ­ If the Reporter is unable to notify the Vendor, then the Reporter should ask a Coordinator to notify the Vendor. 3 ­ The Reporter and/ or Coordinator should record the date of notification. 4 ­ The Reporter should provide the Vendor, and the Coordinator (if any), with all known details of the issue, including any programs, scripts, or pseudo-code that would allow the Vendor to reproduce and/ or confirm the vulnerability. Validation Phase 1 ­ The Reporter should work with the Vendor in a timely fashion to explain the vulnerability and conduct further analysis. 2 ­ If the Vendor does not understand the nature, risk, or resolution of the vulnerability, then the Reporter or involved Coordinators should provide the Vendor with resources that help to explain the vulnerability. 3 ­ The Reporter should grant time extensions to the Vendor if there is evidence that the Vendor is acting in good faith to resolve the vulnerability. 4 ­ If the Vendor is unresponsive or disagrees with the Reporter's findings, then the Reporter should involve a Coordinator.

115 Perimeter Center Place, Suite 270, Atlanta, GA 30346 (t) 678.781.4800 (f) 678.781.4850 www.spidynamics.com

Resolution Phase 1 ­ The Reporter should recognize that it may be difficult for a Vendor to resolve a vulnerability within 30 days. 2 ­ The Reporter should grant time extensions to the Vendor if the Vendor is acting in good faith to resolve the vulnerability. 3 ­ If the Vendor is unresponsive or uncooperative, or a dispute arises, then the Reporter should work with a Coordinator to identify the best available resolution for the vulnerability. Release Phase 1 ­ The Reporter should work with the Vendor and involved Coordinators to arrange a date after which the vulnerability information may be released. 2 ­ If the Vendor has not resolved the vulnerability within a time frame that is allowed by this process, then the Reporter should work with a Coordinator to announce the vulnerability to customers and the security community. 3 ­ If a Vendor requests a Grace Period, then the Reporter should follow the Grace Period before releasing details of the vulnerability. 4 ­ After the Grace Period, the Reporter may release additional details. The Reporter should carefully consider how much detail is needed by customers and the security community. 5 ­ The Reporter should provide credit to any Vendor and/ or Coordinator who has followed the process. Policy Publication If a Reporter is a member of the security community and the Reporter frequently finds new vulnerabilities, then the Reporter should publish a policy and procedures statement that includes the following information: 1 ­ Where it complies (and does not comply) with the process outlined in this document. 2 ­ The maximum Grace Period that the Reporter is willing to follow.

Copyright © The Internet Society (2002). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without any restrictions of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works.

115 Perimeter Center Place, Suite 270, Atlanta, GA 30346 (t) 678.781.4800 (f) 678.781.4850 www.spidynamics.com