Vulnerability Disclosure Policy
Updated: Feb 11, 2020
Purpose of this policy
This policy exists to establish a guideline for interaction between a
researcher and Postscript. It serves to quash assumptions and
clearly define intentions, so that both parties may immediately and
effectively gauge the problem, produce a solution, and disclose the
vulnerability.
Policy definitions
The ISSUE is the vulnerability, problem, or otherwise reason for
contact and communication.
The ORIGINATOR is the individual or group submitting the ISSUE.
The DATE OF CONTACT is the point in time when the ORIGINATOR
contacts Postscript.
All dates, times, and time zones are relative to the ORIGINATOR.
A work day is generally defined in respect to the ORIGINATOR.
Policy
A. The ORIGINATOR will send email regarding the ISSUE to
Postscript; the point in time when email is sent from the ORIGINATOR
is considered the DATE OF CONTACT.
The ORIGINATOR can contact Postscript at the following email address:
security@postscript.io
B. Postscript is to be given 10 working days (in respects to the
ORIGINATOR) from the DATE OF CONTACT; should no contact occur by the
end of 10 working days, the ORIGINATOR should disclose the ISSUE.
Should Postscript contact the ORIGINATOR within the 10 working
days, it is at the discretion of the ORIGINATOR to delay disclosure
past 10 working days. The decision to delay should be passed upon
active communication between the ORIGINATOR and Postscript.
C. Requests from Postscript for help in reproducing problems or
for additional information should be honored by the ORIGINATOR. The
ORIGINATOR is encouraged to delay disclosure of the ISSUE if the
MAINTAINER provides feasible reasons for requiring so.
D. Postscript will be given 90 days from the DATE OF CONTACT
to deploy a patch for the ISSUE.
E. In respect for the ORIGINATOR following this policy, Postscript
will provide proper credit to the ORIGINATOR for doing so
Suggested credit would be:
"Credit to [ORIGINATOR] for disclosing the problem to Postscript."
F. If the ISSUE is publicly disclosed, by a third-party, the
ORIGINATOR is encouraged to discuss the current status of the ISSUE
with Postscript; based on that discussion, the ORIGINATOR may
choose to disclose the ISSUE. Postscript is encouraged to credit
the ORIGINATOR for discovering the ISSUE. Should Postscript
disclose the ISSUE, or items supporting/relating to the ISSUE
(patches, fixes, etc), the ORIGINATOR may choose to disclose the
ISSUE.
Credits
Aleph1 [aleph1-at-securityfocus.com]
Steve Manzuik [steve-at-securesolutions.org]
Weld Pond [weld-at-atstake.com]
Russ Cooper [russ.cooper-at-rc.on.ca]