Disclosure PolicyThis policy outlines how HP DVLabs handles responsible vulnerability disclosure to product vendors, HP TippingPoint customers, security vendors and the general public.HP DVLabs will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to security@, support@, info@, and email@example.com with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, DVLabs may distribute vulnerability protection filters to its customers' IPS devices through the Digital Vaccine service.
If a vendor fails to acknowledge DVLabs initial notification within five business days, DVLabs will initiate a second formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an additional five business days following the second notification, DVLabs may rely on an intermediary to try to establish contact with the vendor. If DVLabs exhausts all reasonable means in order to contact a vendor, then DVLabs may issue a public advisory disclosing its findings fifteen business days after the initial contact.
If a vendor response is received within the timeframe outlined above, DVLabs will allow the vendor 4-months to address the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including mitigation in an effort to enable the defensive community to protect the user. We believe that by doing so the vendor will understand the responsibility they have to their customers and will react appropriately.
We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis. To maintain transparency into our process, if any vulnerability is given an extension we plan on publishing the communication we've had with the vendor regarding the issue once it is patched. We hope that this level of insight into our process will allow the community to better understand some of the difficulties vendors have when remediating high-impact bugs. DVLabs will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, DVLabs will offer to work with that vendor to publicly disclose the flaw with some effective workarounds. In no cases will an acquired vulnerability be 'kept quiet' because a product vendor does not wish to address it.
Before public disclosure of a vulnerability, DVLabs may share technical details of the vulnerability with other security vendors who are in a position to provide a protective response to a broader user base. Such a security vendor must show they are able to provide security protection for vulnerabilities, while at the same time not revealing the technical vulnerability details in their product updates.
DVLabs will formally and publicly release its security advisories on its Web site and on selected security mailing list outlets.
The main purpose of the Pwn2Own contest is to responsibly unearth new vulnerabilities and empirically demonstrate the current security posture of the most prevalent products in use today so that the affected vendor(s) can address them. All winning vulnerabilities (excluding sandbox escapes) will be handed over to the affected vendors at the conference through the ZDI, with the appropriate credit given to the contestant once the vendor patches the issue. Until then, the actual vulnerability will be kept quiet from the public. This is a required condition of entry into the contest; all entrants must agree to the responsible disclosure handling of their vulnerability/exploit (exlcuding post-exploitation issues such as sandbox escapes and other local vulnerabilities) through the ZDI. An awards ceremony at the end of the conference will present each winner with their prizes.
Any code execution vulnerability that the Zero Day Initiative awards a cash prize for becomes the property of the ZDI, and therefore the winner cannot discuss or disclose details of the 0-day until the affected vendor has successfully patched the issue. Any discussion of the bug prior to the public disclosure of a ZDI advisory will result in forfeiting of the prize. HP DVLabs is collaborating with the vendors to ensure that their response teams will be ready and waiting to receive any and all 0-day code execution or memory disclosure bugs that comes out of this contest. For all other vulnerabilities, we are ready to forward the information on to the appropriate vendor upon verification of the issue, provided the contestant wishes to disclose them. In the case of local vulnerabilities, the contestant may choose to withhold disclosure (as has always been the case with Pwn2Own).