VDOO disclosure policy for security researchers and vulnerability reporters
This page is the point of contact for anyone wishing to report vulnerabilities. To report security or privacy issues in VDOO products or servers, as well as in other embedded products and associated servers, please submit a vulnerability report to firstname.lastname@example.org. You can find the public GPG key for communication at the bottom of this page.
VDOO will accept vulnerability disclosures in its scope, which includes:
Issues in VDOO products: VDOO is committed to ensuring the security of its products, and to helping other vendors develop and distribute secure products. For its own products, VDOO will review and fix all reported security vulnerabilities in a timely manner, working in full cooperation with the person or organization who reported them.
Issues in other embedded products: VDOO is also available to help external researchers report security vulnerabilities in a responsible and helpful way, as part of the company’s research scope which includes embedded products developed and deployed by other vendors and the associated ecosystem, including servers and mobile applications. VDOO can help the researcher by assigning CVE numbers and publishing official advisories on the NIST and MITRE websites, in addition to VDOO’s website. VDOO can also help the vendor ensure that the disclosure takes place in a responsible manner.
VDOO only works with researchers who apply ethical hacking and responsible disclosure methods. Please refrain from any unlawful or malicious actions, do not access or make unauthorized changes to another company's systems and data, and do not harm the security and privacy of products and users.
For issues that affect vendors outside of VDOO’s scope, we will redirect your request to the MITRE Corporation or another applicable CVE Numbering Authority.
For any technical issues that do not pose a threat to privacy or security, please email us at email@example.com.
Submitting a vulnerability report
Please include the following information in the report:
Reporter: Name, contact information and affiliation.
Product: Software name, package and the URL through which the software was obtained.
Version: The affected version range.
Description: What is the vulnerability and how can it be exploited? In as much detail as possible, provide step-by-step guidance to setting up and executing the exploit (scripts and code examples are welcome). Since detailed vulnerabilities are easier to confirm, they will get higher priority.
Disclosure: Has the vulnerability been disclosed to other parties, publicly or privately? If so, when and to whom?
Other optional information that can help us process the report and communicate with you includes more information about yourself, the vulnerability type (for example, remote code execution), and its location in code or binary. Other options include PGP keys for follow-up communications, proposed solutions or mitigations, and disclosure preferences such as would you like to keep the report private and what are your preferred disclosure timelines.
Using PGP or GPG to encrypt and sign communications is recommended but not required.
Initial response: VDOO will respond with an initial confirmation within 48 hours after receiving the vulnerability report.
Disclosure review: The VDOO vulnerability research team will review the report within a week and respond by either confirming the report, requesting more information, or rejecting it (for example, if the information is insufficient and cannot be confirmed, or if the vulnerability has already been disclosed to VDOO or the public.)
Contact the vendor: VDOO will contact the affected vendor within 72 hours once we have sufficient information on the vulnerability.
Reserve the CVE number: VDOO will also initiate the reservation of a CVE number within 72 hours after having sufficient information on the vulnerability, unless the vulnerability is meant to remain private.
Public disclosure: We prefer to receive the vendor's agreement in all cases. We also prefer to set disclosure timelines on a case-by-case basis, taking into account the vendors’ ability or difficulties in patching the systems. However, we recommend a 120-day embargo period if the reporter wants to disclose the vulnerability without the vendor’s agreement. Because VDOO deals primarily with embedded devices, we believe that this period accurately reflects the time it would take for the vendor to test and roll out patches to remotely installed devices, while also respecting the need for disclosure for the person who reported the vulnerability.
For the CVEs we help create, VDOO will publish the CVE information on its advisories page following the agreed upon disclosure embargo period.