Cinta Infinita is commited to responsible disclosure.
We believe this is the best way we can serve our customers and help protect the Internet community.
The present policy details Cinta Infinita's procedure regarding the public disclosure of security vulnerabilities. The intention behind this policy is to enable all related parties (i.e. software vendors, researchers and customers) to address a discovered vulnerability in a way that minimizes any associated risks.
This policy establishes the guidelines followed by the research team upon the discovery of a security vulnerability. It also details the steps followed by the research team and the interaction with the software vendor.
The goals of this policy are the following:
Vulnerbility Disclosure Process
The following basic steps are taken by Cinta Infinita whenever a new vulnerability is discovered by the research team. In some particular cases, not all steps may be followed.
1. Discovery
The process begins when Cinta Infinita unveils a vulnerability. This could happen while researching a product or conducting application or network penetration tests on our customers.
The vulnerability is then studied until it can be fully reproduced. An internal document is generated, including a description of the vulnerability and its associated risk, technical details for reproduction, and a proof of concept of an attack.
2. Vendor Notification and Corroboration
The vendor is notified of the vulnerability and the research team provides as much technical information as possible. The vendor should then proceed with the reproduction of the proof of concept to corroborate the existance of the vulnerability.
The vendor will be contacted via email or phone. If no security contact information is publicly available for the vendor, the official channels will be used to start the communication.
If the vendor doesn't acknowledge the contact after 7 days, a new attempt will be made. If the vendor still fails to acknowledge the contact, the advisory will be made public.
Once the vulnerability details are received, the vendor should follow any variation of the following steps:
3. Fix Development and Corroboration
At this point, the vendor should address the vulnerability by fixing the software or providing workarounds to mitigate the impact.
The vendor may request to postpone the release when necessary, as long as they are working on a fix.
It is encouraged that the vendor asks for any needed assistance from the Cinta Infinita research team.
Most vulnerabilities should be resolved within 30 days of the notification date. More time may be provided if Cinta Infinita considers it is needed. Otherwise, the advisory will be released after 45 days of the initial notification date.
4. Advisory Release
The vendor should release the fix and make sure it is available for every user. After the fix is made public, in a coordinated fashion, the security advisory will be publicly released.
In the interest of providing users with a reasonable period during which to defend their systems, Cinta Infinita may decide to delay the public release of data that could directly lead to the vulnerability being exploited.
If the vendor can't agree with Cinta Infinita on a release date, the advisory will be released after 15 days.
The following information will be included in the security advisory: