Polski

Disclosure Policy

Last update: Jun-21-2018

Non-commercial security research (Pro Bono)

Vendors responsible for fixing security defects uncovered in a result of our research are issued the so called vulnerability notices containing brief (though sufficient) information about vulnerabilities identified in their products. From that moment, internal security and engineering teams of a given vendor can start their work aiming to fix reported issues.

Security Explorations does not send vulnerability information to the licensees of a given technology. Only original vendors of the affected technology or software are provided with brief vulnerability information.

Security Explorations starts informing vendors and public on the same day about identified security threats. The public is notified about the existence of a given security weakness, vendors are provided with its brief details.

The public can monitor the status of vendor activities with respect to the fixing of reported issues through our web pages corresponding to the target research project.

In case of acquiring or discovering information indicating that certain security issues had been fixed or cannot be exploited anymore, Security Explorations reserves the right to publish additional details about such issues.

Security Explorations may publish Proof of Concept codes for security vulnerabilities and attack techniques discovered by the company at any time after or in parallel with their technical details disclosure.

Issues already reported to the vendor, which were improperly fixed are not a subject to this policy. They are publicly disclosed without any prior notice.

Any legal threats coming from vendors or any 3rd party are immediately announced by us in the legal threats section of our website.

Commercial security research (SRP)

Security Explorations does not send vulnerability information to vendors of the affected technology or software. The results of SRP projects (or SRP materials) are available to SRP members as part of SRP program and on a fee basis.

Vendors of the affected technology or software might receive a notification that a given material is made available under SRP program. They can either purchase access to the material (SRP AO) or acquire exclusive ownership rights to it (SRP EP).

SRP materials, which are not acquired on an exclusive basis can be a subject of a publication.

Any legal threats coming from vendors or any 3rd party are immediately announced by us in the legal threats section of our website.

Copyright 2008-2018 Security Explorations. All Rights Reserved.