Atredis Partners Disclosure Policy
Atredis Partners believes that coordinated, timely disclosure of security vulnerabilities is in the best interest of our customers and the public at large. Atredis Partners regularly identifies security vulnerabilities in the course of our work, both during client engagements and through our own independent security research.
For vulnerabilities that are identified during the course of an engagement, we collaborate on disclosure workflow with our clients, following the client's disclosure procedure, where applicable. For vulnerabilities identified by Atredis Partners outside of client engagements, we coordinate the disclosure process with the responsible vendor along with the CERT/CC organization.
The process typically takes 90 days and consists of the following steps:
- Atredis will attempt to contact the appropriate product vendor or software author(s) by email and/or telephone.
- Atredis will provide detailed information about the vulnerability to the product vendor or software author(s).
- 45 days after this notification, Atredis will send a copy of the vulnerability details to CERT/CC, who may assist with further coordination.
- 90 days after notifying the product vendor and keeping in CERT/CC's 45-day disclosure policy, Atredis and CERT/CC will publish an advisory containing the details and status of the vulnerability. This 90-day schedule may change to accommodate weekends, holidays, and extenuating circumstances. This advisory will be made available to the general public.