Responsible Disclosure Policy
As a cybersecurity company, TAD GROUP fully understands and acknowledges the risks our clients are facing in case of a zero-day vulnerability being exploited. Therefore, it is our sole responsibility to fix vulnerabilities found in any of our websites, services or products, as soon as possible. Until the issue has been resolved, TAD GROUP will stay in constant touch with the reporter.
Our responsible disclosure policy consists of three stages, executed in order of description.
Stage 1: Disclosure and Risk Assessment
Once we are notified of a vulnerability affecting any of our products or services, we will immediately react and refer to our Emergency Response Team (ERT). The vulnerability will be classified and its scope and risk assessed according to the CVSS3 specification. This will provide us with a clear picture of the severity and how many of our customers may be affected by the vulnerability.
Stage 2: Remediation
When the vulnerability has been acknowledged, an emergency fix will be released and depending on the severity of the vulnerability it may also provoke an automatic update on our customers' deployed systems. If the vulnerability affects an open-source product of TAD GROUP, the patch will be made available to the public within this stage.
Our grace period is a bare minimum of the time it would take us to handle the incident and we kindly ask third-parties, that are disclosing a vulnerability, to honor our time window. The release of a patch will happen within the first 30 days after the vulnerability has been accepted by TAD GROUP’s Emergency Response Team.
Stage 3: Acknowledgement
We appreciate the efforts of every researcher that has opted to follow our Responsible Disclosure Policy and has disclosed a security issue in a responsible manner that would not affect our customers' experience. Our Hall of Fame will explicitly list the names, aliases or initials of the reporter. If you would prefer not to be publicly recognized on our website, please do state so within the process.
Guidelines for responsible disclosure
- Avoid privacy violations and confidential information sharing;
- Allow up to 30 days, as per our Responsible Disclosure Policy, for the release of a fix and acknowledgement of the security vulnerability;
- Present a description of the vulnerability accompanied by the affected hosts/products and the attack vector used to exploit the vulnerability. Address this information to security [at] tadgroup.com
Out of scope
If the vulnerability is from either of the following categories it will not qualify:
- Banner disclosure on public services and service enumeration.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking except for when it can be demonstrated to enable a specific, real-world attack with measurable security impact. Proof-of-concept code is absolutely required.
- Vulnerabilities that require extensive or obtuse social engineering.
- Lack of anti-CSRF tokens on forms that are available to anonymous users (e.g. contact forms).
- Content spoofing (e.g. through MIME type).
- Missing cookie flags on non-sensitive cookies.
- Exhaustive search attacks or lack of rate limiting (e.g. denial of service, resource depletion etc).
- Network and application configurations that do not directly pose a security threat to our infrastructure or products (including theoretical and low-risk vulnerabilities that are either missing a viable proof-of-concept or involve sniffing that cannot be carried out remotely.
- Vulnerabilities that have already been addressed in a product update regardless of whether the update has been applied to the publicly available research machines.
We value and follow the responsible disclosure policies of other vendors when conducting penetration tests and security evaluations for our clients and expect researchers to adhere to our policy as well.
Hall of Fame
< No disclosures as of now >