Objective

  1. Assist vendors in understanding vulnerabilities and support them in mitigating risks through patches or workaround solutions.
  2. Enable QuantumSabre to gain insights into vendor resolutions to develop additional protections in QuantumSabre’s security solutions and services.
  3. Raise awareness within the information security community and the public, highlighting methods to reduce risks through vendor-released patches, workarounds, and preventive measures.

Goals

  1. Educate vendors on identified vulnerabilities and facilitate the development of appropriate solutions to minimize associated risks.
  2. Equip QuantumSabre with insights from vendor resolutions to strengthen its products and services.
  3. Inform the cybersecurity community and the public about the vulnerability, sharing actionable risk reduction strategies and preventive measures.

Key Terms

  • Vendor: The entity or team managing the software, hardware, or systems associated with the identified vulnerability.
  • Initial Notification Date: The first instance QuantumSabre reaches out to the vendor about the issue.
  • Time Standards: All referenced dates and times are relative to QuantumSabre’s operating time zone.
  • Days Counted: All durations are calculated in calendar days unless specified otherwise.

Policy Framework

  1. Vendor Response Period:
    • Vendors are given up to 14 days from the initial notification to respond.
    • QuantumSabre will attempt contact three times within this period.
    • If no response is received within 14 days, QuantumSabre will assess client risks and may proceed with notifying its clients about the vulnerability.
  2. Support for Resolution:
    • QuantumSabre will make reasonable efforts to provide vendors with details needed to understand and address the issue, including environment configurations and reproduction steps.
  3. Communication Expectations:
    • Vendors should provide consistent updates about their progress toward resolving the issue.
    • A lack of communication for over 30 days may result in QuantumSabre considering the vendor unresponsive, prompting possible public disclosure.
  4. Acknowledgment of Discovery:
    • Vendors are encouraged to acknowledge QuantumSabre’s contributions and credit the researcher responsible for identifying the issue.
    • Suggested credit: “Acknowledgment to [researcher name] from the QuantumSabre Security Team for identifying this vulnerability in [vendor name].”
  5. Coordinated Disclosure:
    • Vendors are encouraged to collaborate with QuantumSabre to ensure synchronized public announcements about the vulnerability and its remediation.
  6. Resolution Timeline:
    • Vendors are allotted a maximum of 90 days from the initial notification date to release a patch or workaround. Beyond this period, QuantumSabre may proceed with public disclosure.
  7. Third-Party Disclosure:
    • If the vulnerability is publicly disclosed by another party during this timeline, QuantumSabre will treat the information as public and collaborate with the vendor to expedite communication and resolution.
  8. Active Exploitation Protocol:
    • If the vulnerability is being actively exploited, QuantumSabre will engage with the vendor to prioritize a faster disclosure timeline, potentially as short as seven days, depending on the scope of exploitation.
  9. Delayed Technical Details Release:
    • For vulnerabilities deemed critical, QuantumSabre may withhold technical exploitation details or proof-of-concept code for up to 14 days following public disclosure to allow organizations to implement necessary protections.