In regards to my research, I follow a responsible disclosure policy, consisting broadly of the following approach:
I will make all reasonable effort to formally contact the vendor and/or manufacturer (via email, webform or telephone) of the vulnerability, providing as much information as is reasonably possible to enable the vendor to reproduce and fix the identified issues.
I request a response from the vendor to this initial communication, acknowledging receipt of the vulnerability report, within one (1) week.
If no response has been received, I will make a second attempt after one (1) week to contact the vendor, again requesting receipt of the report within one (1) week.
I will generally allow three (3) months for a patch to be released which satisfactorily remediates the vulnerability, prior to disclosure. The three (3) month period will begin upon the first attempt by me to contact the vendor.
If either time frame elapses without sufficient explanation, I may issue a public advisory about the elevated level of risk posed by running the vendor’s product.
I reserve the exclusive right to publicly release details provided to the vendor before a patch or effective mitigation has been released.
I similarly reserve the right to communicate details of the vulnerabilities to anyone, under non-disclosure agreement, to enable them to take any available protective measures prior to the vendor’s patch being released.
When a patch or other acknowledgement of an issue is released by the vendor, I request attribution of the research contained in this report to me (Doomguy / https://github.com/doomguy) and/or anyone else involved with the research.