Security Risk Advisors Intl, LLC – Disclosure Policy

 

This policy outlines how Security Risk Advisors (SRA) handle responsible vulnerability disclosure to product vendors, security vendors, and the public.

 

Notification

Once a vulnerability has been identified and confirmed through our own research and/or services, we will notify the product vendor of a security flaw within their product or service. SRA will make three (3) attempts to reach the vendor through formal methods (e.g., email, phone, disclosure portals). After each of these attempts, SRA will give the vendor 5 days to acknowledge and respond.

Email messages will originate from advisories@sra.io.

 

Disclosure

If SRA exhausts all reasonable means to contact a vendor, then SRA may issue a public advisory disclosing its findings thirty (30) days after the initial contact.

If a response is received, SRA will allow the vendor 3-months (90 days) to address the flaw with a security patch or other corrective measure. During this time, it is expected that the vendor maintains open communication with SRA and provide regular updates to the status of the remediation/patch. The vendor is encouraged to provide credit to SRA and the individuals that identified the vulnerability (e.g., “Credit to [Researcher] from Security Risk Advisors for identifying and responsibly disclosing the vulnerability to [vendor]”).

After the vendor has issued a patch or fix publicly and is within the timeframe agreed upon, SRA will release a public advisory disclosing its findings along with a timeframe from disclosure to advisory publish.

 

Last Modified: Q2 2023