Redfox Cyber Security Inc. (referred to as Redfox Cybersecurity in this policy) frequently uncovers critical security flaws or vulnerabilities in third-party code and systems, including vendor and open-source software. We advocate for responsible action from vendors and security researchers regarding vulnerability disclosure, aiming for prompt resolution and community awareness through patches and system updates. Redfox Cybersecurity adopts an approach aligned with Google Project Zero’s policy, setting a 90-day disclosure deadline.
Once we detect security vulnerabilities in third-party or open-source products, we provide a technical report to both vendors and open-source projects involved. The method of disclosure depends on factors like client interests, community impact assessment protocols and any other relevant considerations.
We expect the developer to address the security vulnerability within ninety (90) days. If not resolved within this timeframe, Redfox Cybersecurity reserves the right to release details about the vulnerability in a manner that mitigates its potential harm and encourages further detection of such vulnerabilities. However, vendors may opt to disclose details early if they wish to align their announcement with an official security bulletin release, if technical details are already public due to development practices, or if a fix for affected products has already been implemented. Redfox Cybersecurity retains the discretion to delay publishing vulnerability details beyond the 90-day mark if deemed necessary.
Redfox Cybersecurity follows a responsible disclosure process outlined below:
Our initial outreach seeks to establish secure communication channels through official security disclosure mechanisms provided by the vendor, followed by direct email communication with potentially relevant contacts, and if necessary, outreach via social media channels (using direct messaging, not public channels). If all other methods fail, we may resort to contacting the vendor’s general office phone number.
Sensitive vulnerability details are not shared until a secure communication channel is confirmed. At this initial point of contact, both parties establish an open communication channel and designate one or more points of contact in Redfox Cybersecurity for collaboration purposes.
Once a secure channel is established, Redfox Cybersecurity provides the vendor with detailed vulnerability information, including supporting evidence and relevant details for understanding, reproducing, and ideally fixing the vulnerability. This information may include exploitation details, proof of concept code, and any specific replication instructions. Redfox Cybersecurity may assist in testing patches provided by vendors to ensure the issue has been effectively addressed. Our communication also includes our intent to publish the vulnerability within 90 days. If the vendor’s resolution or workaround is ready within this timeframe, it will be included in the initial disclosure. Otherwise, it will be published separately when available.
Redfox Cybersecurity makes reasonable efforts to contact the vendor throughout the 90-day period. However, if the vendor remains unresponsive, fails to address the reported issue within the stipulated timeframe, or disputes the severity of the reported vulnerability, Redfox Cybersecurity may expedite the disclosure process.
Redfox Cybersecurity may extend the disclosure period beyond 90 days if the vendor is actively working on a resolution or if disclosing the vulnerability prematurely could expose Redfox Cybersecurity's clients to undue risk.
Vulnerabilities deemed disclosable are published on the Redfox Cybersecurity blog, including details such as impact, replication steps, and in some cases, proof-of-concept code. Any mitigation steps or software patches provided by the vendor may also be included in the disclosure. Redfox Cybersecurity maintains a public GitHub repository of all disclosed vulnerabilities.
Redfox Cybersecurity will notify the client immediately of any vulnerabilities discovered through paid engagement, providing technical details and steps to replicate them through standard reporting channels. Redfox Cybersecurity may also notify relevant third-party vendors if deemed necessary for effective remediation while ensuring client confidentiality.
The overarching goal of this policy and Redfox Cybersecurity’s approach to disclosure is to enhance overall security for the community. It is not driven by financial motives or a desire for business opportunities. While collaboration with Redfox Cybersecurity is welcomed, there is no expectation for formal engagement from those notified about vulnerabilities in their solutions.
Redfox Cyber Security Inc.
8 The Green, Ste. A, Dover,
Delaware 19901,
United States.
