Vulnerability Disclosure Policy

Updated: Feb 11, 2020

Purpose of this policy    

 

   This policy exists to establish a guideline for interaction between a

   researcher and Postscript. It serves to quash assumptions and

   clearly define intentions, so that both parties may immediately and

   effectively gauge the problem, produce a solution, and disclose the

   vulnerability.

Policy definitions

   

     The ISSUE is the vulnerability, problem, or otherwise reason for

   contact and communication.

   

     The ORIGINATOR is the individual or group submitting the ISSUE.

   

     The DATE OF CONTACT is the point in time when the ORIGINATOR

   contacts Postscript.

   

     All dates, times, and time zones are relative to the ORIGINATOR.

   

     A work day is generally defined in respect to the ORIGINATOR.

 

 Policy

 

   A. The ORIGINATOR will send email regarding the ISSUE to

   Postscript; the point in time when email is sent from the ORIGINATOR

   is considered the DATE OF CONTACT.

  

   The ORIGINATOR can contact Postscript at the following email address:

   security@postscript.io

 

 B. Postscript is to be given 10 working days (in respects to the

   ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the

   end of 10 working days, the ORIGINATOR should disclose the ISSUE.

   Should Postscript contact the ORIGINATOR within the 10 working

   days, it is at the discretion of the ORIGINATOR to delay disclosure

   past 10 working days. The decision to delay should be passed upon

   active communication between the ORIGINATOR and Postscript.

 

   C. Requests from Postscript for help in reproducing problems or

   for additional information should be honored by the ORIGINATOR. The

   ORIGINATOR is encouraged to delay disclosure of the ISSUE if the

   MAINTAINER provides feasible reasons for requiring so.

 

   D. Postscript will be given 90 days from the DATE OF CONTACT 

   to deploy a patch for the ISSUE.

 

   E. In respect for the ORIGINATOR following this policy, Postscript

   will provide proper credit to the ORIGINATOR for doing so

   Suggested credit would be:

   

   "Credit to [ORIGINATOR] for disclosing the problem to Postscript."

 

   F. If the ISSUE is publicly disclosed, by a third-party, the

   ORIGINATOR is encouraged to discuss the current status of the ISSUE

   with Postscript; based on that discussion, the ORIGINATOR may

   choose to disclose the ISSUE. Postscript is encouraged to credit

   the ORIGINATOR for discovering the ISSUE. Should Postscript

   disclose the ISSUE, or items supporting/relating to the ISSUE

   (patches, fixes, etc), the ORIGINATOR may choose to disclose the

   ISSUE.

   Credits

   

   Aleph1 [aleph1-at-securityfocus.com]

   Steve Manzuik [steve-at-securesolutions.org]

   Weld Pond [weld-at-atstake.com]

   Russ Cooper [russ.cooper-at-rc.on.ca]