Vulnerability Disclosure Policy
At watchTowr, we take our responsibility of identifying and reporting security vulnerabilities seriously. We believe that security vulnerabilities should be disclosed to vendors in a responsible manner that allows them to address the issue without putting their users at risk. To that end, we have developed the following Vulnerability Disclosure Policy (VDP).
At watchTowr, we proactively audit security-critical codebases which we notice our clients rely on. This feeds our ability to keep external attack surfaces secure via the watchTowr Platform, as we can find and fix vulnerabilities before exploitation can affect our clients.
Typically, during these audits, we are concerned with high-impact, 'world-ending' vulnerabilities, but often we notice smaller bugs which have limited impact, or even those which have no impact at all but severely weaken the general security posture of a codebase. Usually in these case, we work with the software vendor to have these bugs fixed to support strength within a codebase.
This policy applies to all security vulnerabilities that we discover in products or services offered by vendors. These vendors may include SaaS platforms, cloud providers, COTS software vendors, security appliance vendors and more.
Disclosure Process
When we identify a security vulnerability, we will follow the following process:
- Notify the vendor: We will make a good faith effort to contact the vendor as soon as possible after discovering the vulnerability. We will send an email to the vendor's security contact or a designated point of contact. The email will describe the vulnerability and provide sufficient detail to allow the vendor to reproduce and verify the issue. We will also provide a timeline for disclosure and request confirmation of receipt.
- Notify our clients: We make a good faith effort to notify our clients of their potential exposure, so that proactive mitigations can be implemented.
- Allow the vendor 90 days to respond: We believe that vendors should have sufficient time to investigate and address the vulnerability. Therefore, we will wait for a period of 90 days before disclosing the vulnerability publicly. If the vendor needs more time, we will work with them to establish a new timeline.
- Coordinate with the vendor on disclosure: If the vendor confirms the vulnerability, we will work with them to determine an appropriate timeline for public disclosure. We will make a good faith effort to provide the vendor with a reasonable amount of time to develop and release a patch before we publicly disclose the vulnerability.
- Public disclosure: If the vendor fails to respond or does not address the vulnerability within the agreed timeline, we will make a public disclosure of the vulnerability. We will also include a summary of our efforts to contact the vendor and the timeline of our disclosure process.
We believe that responsible disclosure is important, and we will work with vendors to ensure that their users are not put at risk by the disclosure of a vulnerability. We will not disclose any vulnerability that we believe could be used to harm users or that could be exploited before the vendor has had a reasonable amount of time to address the issue.
However, we (watchTowr) reserve the right, if we believe it is in the best interest of users or the vendor/target of our report is not acting in good faith, to deviate from this 90-day policy and disclose in a manner that we deem appropriate.
It should be noted that VDPs are not bound or regulated by legislation, and thus we act within our own ethical and moral standards - towards our clients and the wider community.
We conduct all vulnerability research in compliance with applicable laws and regulations. We will not engage in any activity that violates the law or the rights of others.
We believe that this Vulnerability Disclosure Policy will help ensure that vendors are notified of security vulnerabilities in a responsible manner and that their users are protected from potential harm. We will continue to update and refine this policy as necessary to ensure that it reflects current best practices and industry standards.