Pentagrid’s Coordinated Disclosure Policy

Pentagrid notifies vendors about security vulnerabilities identified during security assessments and research, or when asked by third parties to handle the coordinated disclosure process. When Pentagrid reports a vulnerability, we try to follow the approach outlined in this policy. Pentagrid understands coordinated disclosure as a professional communication process with the aim of getting risks addressed and being transparent about the vulnerability to a public audience.

Pentagrid’s notifications contain technical information about the vulnerability, which should be sufficient for technical personnel to reproduce the vulnerability and to conduct further investigation. The notification is free of charge and provided ‘as is’. If a vendor has further questions regarding Pentagrid’s notification, any follow-up clarification is free as well. We do not accept bug bounties. Very often we cannot use the official disclosure channels (such as bug bounty programmes) for various reasons. One reason might be a non-disclosure clause in the vendor's policy, while our policy has a general 90-day disclosure deadline.

When Pentagrid reports a vulnerability, we expect feedback within 14 days starting from the first attempt to contact a vendor. We strongly recommend vendors to provide a single point of contact where Pentagrid can submit vulnerabilities. If Pentagrid cannot find such a contact, we contact first-level support and/or use social media platforms to identify further communication channels, but often this is not helpful for a successful process. If there is no direct security contact, Pentagrid may only provide as much information about vulnerabilities as considered necessary to get in contact with the team responsible for handling vulnerabilities.

After an initial contact with a vendor, the minimum feedback Pentagrid expects is an acknowledgement that the notification has been received, which steps are planned and when they will take place. If a vendor fails to sufficiently acknowledge Pentagrid’s notification within 14 days starting from the first attempt to contact a vendor, Pentagrid might publish some or all details about the vulnerability publicly. Pentagrid grants a 90-day period starting from the initial notification attempt so that the vendor should be able to publish a patch that resolves or mitigates the reported vulnerability. If this 90-day period ends on a weekend or public holiday, the period is extended to the next working day. After this period, Pentagrid might publish details about the vulnerability publicly. Furthermore, Pentagrid reserves the right to publish an advisory before the end of the 90-day period, for various reasons. For example, if a third party either exploits the reported vulnerability in the wild or if a third party publishes details about the vulnerability and withholding details no longer makes sense. Additionally, if a security update is available before the 90-day period or affected systems were already patched and there is no need to withhold information.

Coordinated disclosure is a standard process in the IT industry and is practiced by many companies. Pentagrid's view on coordinated disclosure is similar to the coordinated disclosure policy that is practiced by Google, where further information can be found on https://www.google.com/about/appsecurity/ and https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html. Pentagrid reserves the right to deviate from this policy in specific circumstances where it is deemed necessary.