Responsible disclosure

Tradecraft's mission is to help organisations to be more secure. We recognise that the premature disclosure of vulnerabilities can be counterproductive to that goal. However, we also believe that organisations can only protect themselves if they are aware of the problems that they have. As such, it's vital that accurate information about vulnerabilities be made public as soon as is reasonably possible.

Where we're able to contact vendors or software authors, we always do so and discuss remediation and disclosure privately. Our goal is to ensure that an update resolving the vulnerability in question is always available prior to its publication.

We may also make contact with other parties, such as users of vulnerable software, industry bodies or government bodies and make them aware of an unpublished vulnerability. In these cases, we ensure that any other party commits to maintaining the confidentiality of the vulnerability until an update is available.

We also recognise that differences of opinion can occur about the seriousness of a given vulnerability, that not all authors are contactable and that not all authors are able or willing to address security issues in a timely fashion. In these cases, we believe disclosure to be the most responsible course of action we can take.

As such, our disclosure policy is as follows. Upon identifying a security vulnerability we will:

  1. Attempt to identify a means of communicating privately with the vendor or author of the vulnerable software, and to report the issue to them.
  2. If we are unable to identify a means to communicate with a vendor or author, we will publish the vulnerability.
  3. If we have asked the vendor or author to contact us, or if we have reported the problem to them, we will wait for 14 days for the report to be acknowledged. If the report is not acknowledged after that time, we will publish the vulnerability.
  4. If the vendor or author responds to the report cooperatively, we will work with them to agree a date on which the vulnerability should be published.
  5. Having agreed a date, we will schedule the vulnerability for publication on that date.
  6. If it is not possible to agree a date, or if the vendor does not respond cooperatively, we will publish the vulnerability at our discretion. In this situation, we will do our best to balance the needs of the vendor and the needs of vulnerable users.
  7. If information about the vulnerability is published by a third party, we will immediately publish the vulnerability.

This policy is reviewed regularly, and may be changed without notice.