Responsible Disclosure Policy
The SEC Consult Vulnerability Lab is the integrated research organization of SEC Consult, an Eviden business, one of the leading international security consultancies, with a special focus and recognized experience in application security.
During vulnerability research and security testing, e.g., penetration tests, SEC Consult regularly discovers security vulnerabilities in commercial and open-source software products. While important vulnerability information should be provided to the vendor, to the product’s customers and the security community for a variety of reasons, it is equally important to minimize the risk vulnerability disclosure poses to the affected vendors and customers.
Our Responsible Disclosure Policy document aims to provide vendors with the necessary information and timeframe needed to validate and fix a security flaw in order to mutually coordinate the public release of a security advisory as part of our responsible disclosure process. This document also clarifies the extent and limitation of effort the SEC Consult Vulnerability Lab will invest.
Changelog
| Version | Date | Status/Changes | Created by | Responsible |
| 1.0 | 29.08.2008 | Final version | B. Müller | B. Müller |
| 1.2 | 31.3.2011 | Updated version with amendments on effort sharing and refined process. | J. Greil | M. Eiszner |
| 1.3 | 05.02.2013 | Minor changes (logo, PGP key, formatting, ...) | J. Greil | J. Greil |
| 2.0 | 07.03.2014 | Major updates regarding disclosure procedure | J. Greil | J. Greil |
| 2.0.1 | 29.10.2014 | New PGP key | J. Greil | J. Greil |
| 3.0 | 2016-11-23 | New layout, minor adjustments, additional references, added S/MIME fingerprint | J. Greil | J. Greil |
| 3.0.1 | 2017-11-23 | Updated S/MIME fingerprint | J. Greil | J. Greil |
| 3.0.2 | 2019-09-02 | Updated PGP key expiry date, SEC Consult address | J. Greil | J. Greil |
| 3.0.3 | 2020-02-19 | Updated S/MIME fingerprint | J. Greil | J. Greil |
| 3.1 | 2021-02-15 | Update PGP key expiry date, Atos logo | J. Greil | J. Greil |
| 3.2 | 2023-03-07 | Adjusted wording regarding deadlines, PGP key expiry update, contact information | J. Greil | J. Greil |
| 3.3 | 2023-05-15 | Further adjusted wording, address new SEC Consult / Eviden logo | J. Greil | J. Greil |
| 3.3.1 | 2023-05-23 | Minor updates | J. Greil | J. Greil |