Responsible Disclosure –

we act responsibly

The Greenbone expert teams detect new, yet undocumented vulnerabilities in third party products as part of their daily work. This happens for example during research phase when developing new vulnerability tests. It happens also while supporting customers with their individual environments and configurations.

In case we identify a security problem in a third party product, we practice Responsible Disclosure and only ask for crediting Greenbone for finding and documenting the weakness.

Our policy for a Responsible Disclosure is as follows:

1. Inform the vendor about the finding and provide as many details as possible.

2. Motivate the vendor to clarify conditions, severity and reach of the vulnerability. Greenbone will try to provide as much helpful information as possible.

3. Motivate the vendor to identify whether possibly an easy-to-apply work-around could close the attack vector. Greenbone will try to support verification of such a work-around.

4. Clarify with the vendor whether he likes to publish the vulnerability on his own via CVE (Common Vulnerabilities and Exposures) or whether Greenbone or another party should do so. In any case Greenbone asks for getting credits for finding and documenting this vulnerability.

5. Motivate the vendor to prepare an official Security Update and consider this in our vulnerability tests.

6. In case the vendor does not respond to our report or in other ways ignores attempts to cooperate on documenting and publishing the weakness, Greenbone will publish the vulnerability entirely on its own.

We will do so after 30 days in case we get no constructive response at all.

And we will do so after 90 days in case the vendor was not making available a security update for the customers or at least inform the users about the threat.

In any case, Greenbone reserves the right to add a Network Vulnerability Test about the reported problem into the Greenbone Security Feed from the first day on. This is to help our customers being aware of the threat and to take accurate measures as early as possible.

In case the vendor publishes and documents the vulnerability, but does not apply SCAP standards (CVE, CVSS, CPE), Greenbone reserves the right to do so.