Coordinated Vulnerability Disclosure Guidelines
At VPNBrains, we recognize that all technologies may have inherent security vulnerabilities.
In the interest of promoting good-faith security research and ensuring transparency, we are committed to safeguarding the public and the organizations that rely on our technologies.
The following guidelines emphasize how VPNBrains handles the disclosure of vulnerabilities:
Commitment to Security
At VPNBrains, we recognize that all technologies may have inherent security vulnerabilities.
We prioritize the safety of companies and their users who depend on technologies with potential vulnerabilities. Our objective is to contribute to cyber threat prevention and mitigate potential risks.
To achieve this, we adhere to a structured approach when we identify new vulnerabilities.
Responsible Disclosure Process
1. Notification to Responsible Entities
- Upon discovering a vulnerability, we make diligent efforts to identify and contact the responsible entity, typically the company or owner of the technology.
- Initial contact is made via email, providing a minimum 30-day grace period for the entity to address and patch the vulnerability. If a shorter period is preferable to the entity, we accommodate accordingly.
2. Information Sharing
- We strive to furnish comprehensive information to assist the company in resolving the vulnerability. Upon request, we may grant grace period extensions, particularly for complex vulnerabilities, up to a maximum of 120 days from the initial disclosure.
3. Engagement with CERT
- In cases where the company or owner is unresponsive, we collaborate with local Computer Emergency Response Team (CERT) offices whenever possible. This involves seeking assistance in contacting the entity and facilitating the patching process.
4. Communication Security
- When sharing sensitive information, we recommend communication via encrypted channels to ensure the confidentiality and integrity of the disclosed details.
5. Publication Protocol
- Generally, we publish vulnerability stories after confirmation of issue resolution. However, in cases where vulnerabilities remain unaddressed, we believe it is in the public interest to disclose the existence of susceptible technologies to potential cyber threats.
- Prior to publication, we take precautionary measures to minimize risks, avoiding the release of information that could enable malicious actors to exploit the vulnerability. We also inform the company or owner about our intent to publish, providing an opportunity for their perspective on the matter.
At VPNBrains, our commitment is not only to identifying vulnerabilities but also to collaboratively working towards securing the digital landscape for the benefit of all stakeholders.