Vulnerability Reporting and Coordinated Disclosure Policy

February 16, 2023

Purpose

This policy sets forth the reporting and disclosure process that BugProve, Inc. and its subsidiaries (collectively, “BugProve”) follow when we discover security vulnerabilities in non-BugProve products and services.

Disclaimer

The research team of BugProve undertakes examination of products, services, and firmware accessible to the public. Pursuant to the provisions delineated in the Terms of Service governing the BugProve vulnerability management platform, firmware submitted by users is designated as a Protected Asset, and shall not be employed for any research endeavors outlined in this policy. Assets falling within this category are deemed strictly confidential, subject to encryption while at rest, and accessibility is restricted solely to authorized administrative users for diagnostic and support functions. It is to be noted that users with access privileges to these assets are distinct entities from the research team and are not engaged in research activities as defined by this policy.

Policy

This policy must clearly state the timeline, actions, and responsibilities equally available to all vendors.

Vendor Vulnerability Reporting and Disclosure

If a vulnerability is found in a vendor’s product or service, BugProve will attempt to contact the vendor by email to notify the vendor of such discovery. BugProve will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by BugProve within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.

BugProve’s approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.

If BugProve discovers a vulnerability in a vendor’s product or service, it will take the following steps:

Day	Actions to be Taken by BugProve
0	Initial vendor contact
7	Second vendor contact if there is no response to BugProve’s initial communication
14	Reminder email sent to the vendor with the release date of the vulnerability report
45	If the vendor has not responded or has stopped responding, a final reminder email will be sent
90	Disclosure of the full vulnerability report on the BugProve’s Knowledge Base; however, if the vendor releases a patch or mitigation for the vulnerability before the 90th day, then BugProve will disclose the full vulnerability report immediately following vendor’s release of such patch or mitigation, CVE publication request submitted to MITRE

In the interest of fostering coordinated vulnerability disclosure, BugProve will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary. BugProve may contact computer emergency response teams (CERT), such as Cybersecurity & Infrastructure Security Agency (CISA) or European Union Agency for Cyber Security (ENISA) during the disclosure process to coordinate public disclosure in case critical vulnerabilities have been identified that affect a large user base.

Contact Information

Email address: security@bugprove.com
Please use security@bugprove.com to report vulnerabilities discovered in BugProve software, and please consult https://bugprove.com/.well-known/security.txt on additional information.
PGP key: The BugProve vendor vulnerability public key (key ID 0x72538A5B) is available at the following link: https://keys.openpgp.org/vks/v1/by-fingerprint/72538A5BF63EA969FD83BD917FC0DB825DA7B7B1

Definitions

Term	Definitions
CERT	Carnegie Mellon University Computer Emergency Response Team
CNA	CVE Numbering Authority
CVE	Common Vulnerabilities and Exposures
MITRE	Manages the CVE database
PGP	Pretty Good Privacy encryption software

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. BugProve reserves the right to change or update this document without notice at any time.