Responsible Disclosure Policy

Cinta Infinita is commited to responsible disclosure.
We believe this is the best way we can serve our customers and help protect the Internet community.

The present policy details Cinta Infinita's procedure regarding the public disclosure of security vulnerabilities. The intention behind this policy is to enable all related parties (i.e. software vendors, researchers and customers) to address a discovered vulnerability in a way that minimizes any associated risks.

This policy establishes the guidelines followed by the research team upon the discovery of a security vulnerability. It also details the steps followed by the research team and the interaction with the software vendor.

The goals of this policy are the following:

  • Educate all parties involved, providing the security community with the necessary information to reproduce, study and verify the discovered vulnerability.
  • Minimize of the risks to all affected parties.
  • Contribute in making software more secure.
  • Provide the software vendor with the necessary information to release a fix for the discovered vulnerability.

Vulnerbility Disclosure Process

The following basic steps are taken by Cinta Infinita whenever a new vulnerability is discovered by the research team. In some particular cases, not all steps may be followed.

1. Discovery

The process begins when Cinta Infinita unveils a vulnerability. This could happen while researching a product or conducting application or network penetration tests on our customers.
The vulnerability is then studied until it can be fully reproduced. An internal document is generated, including a description of the vulnerability and its associated risk, technical details for reproduction, and a proof of concept of an attack.

2. Vendor Notification and Corroboration

The vendor is notified of the vulnerability and the research team provides as much technical information as possible. The vendor should then proceed with the reproduction of the proof of concept to corroborate the existance of the vulnerability.
The vendor will be contacted via email or phone. If no security contact information is publicly available for the vendor, the official channels will be used to start the communication.
If the vendor doesn't acknowledge the contact after 7 days, a new attempt will be made. If the vendor still fails to acknowledge the contact, the advisory will be made public.
Once the vulnerability details are received, the vendor should follow any variation of the following steps:

  • Understand the vulnerability and reproduce any provided proof of concept.
  • If the vulnerability was already reported to the vendor or being fixed, Cinta Infinita should be informed.
  • Determine if any other products or applications are affected by the vulnerability.
  • Identify the code involved and plan a fix.

3. Fix Development and Corroboration

At this point, the vendor should address the vulnerability by fixing the software or providing workarounds to mitigate the impact. The vendor may request to postpone the release when necessary, as long as they are working on a fix.
It is encouraged that the vendor asks for any needed assistance from the Cinta Infinita research team.
Most vulnerabilities should be resolved within 30 days of the notification date. More time may be provided if Cinta Infinita considers it is needed. Otherwise, the advisory will be released after 45 days of the initial notification date.

4. Advisory Release

The vendor should release the fix and make sure it is available for every user. After the fix is made public, in a coordinated fashion, the security advisory will be publicly released.
In the interest of providing users with a reasonable period during which to defend their systems, Cinta Infinita may decide to delay the public release of data that could directly lead to the vulnerability being exploited.
If the vendor can't agree with Cinta Infinita on a release date, the advisory will be released after 15 days.

The following information will be included in the security advisory:

  • Advisory Name: A name assigned to the vulnerability by Cinta Infinita.
  • Vulnerability Type: The type of the discovered vulnerability.
  • Affected Software: Applications, versions and platforms where the vulnerability was verified.
  • Risk level: The risk posed by the vulnerability.
  • Author: The person that identified the vulnerability.
  • Vendor Status: Whether the vendor is aware of the vulnerability and has released a fix.
  • CVE ID: CVE (Common Vulnerabilities and Exposures) number.
  • Reference to Vulnerability Disclosure Policy: Link to this policy.
  • Overview: Description of the software and the discovered vulnerability.
  • Technical Details
  • Remediation: Possible solutions, including links to vendor fix / workaround information.
  • Vendor Response: A timeline of the communication between Cinta Infinita and the vendor regarding the discovered vulnerability