Vulnerability Disclosure Policy
As a provider of security software, services, and research, security issues are our top concern.
The objective of our Disclosure Policy is to ensure a quick and effective remediation of newly identified vulnerabilities while working in full coordination with other vendors, with the ultimate objective of securing our customers and the general public. Our process for disclosure will be as follows.
JSOF will notify the impacted vendors of a discovered vulnerability within their product or service. If we are unable to identify an official email for the security team, we will try to initiate contact via the publicly formal mechanisms listed on the vendor’s web site. When an appropriate security contact can be established, we will share our findings.
During the 2 weeks following the initial contact attempt, JSOF will make 2 more documented attempts to contact the vendor, either directly or through third parties.
If no response is received within 2 weeks of the initial attempt, JSOF may choose to release the findings publicly in order to notify and/or protect the great public.
If vendor is responsive, we will do our best to work together and ensure the security issues identified are verified and resolved.
In order to notify and protect the greater public, JSOF may publicly disclose its findings 90 days from the initial contact attempt, or sooner if the vendor releases a fix.
If the vulnerability affects multiple vendor and in some other cases, we may change policy guidelines according to our understanding of public best interest.
JSOF reserves the right to discuss and disclose any discovered vulnerability with other parties if we deem it is in the greater interest of providing a better overall response.
JSOF will formally and publicly release its security findings on its website and other locations, as deemed appropriate and responsible.
Contact us regarding any security vulnerability at firstname.lastname@example.org