Our Values
IARM, a cyber security service provider and research organization, strongly believes that constructive and coordinated disclosure is the best approach to address and fix vulnerabilities.
We also believe that these contributions to the security community will be helpful to reduce attack surfaces or vectors against diverse and ever-changing threats.
Scope
IARM’s vulnerability disclosure policy applies to any third-party vendor products for which IARM will assign CVEs for identified vulnerabilities. This applies only if the product is not already covered under the scope of another CNA.
Policy
Once a security issue is identified, IARM will take the following steps to notify the respective parties and facilitate its resolution:
- Once a vulnerability is confirmed, IARM will gather all the necessary information, including technical details, impact assessment, and proof of concept (if applicable), to effectively communicate the issue to the affected party.
- IARM will establish initial contact with the affected vendor via email, providing detailed information about the vulnerability along with all supporting documents.
- If IARM does not receive a response from the vendor within seven days of the initial email, a follow-up reminder will be sent. If the vendor still does not respond or refuses to acknowledge the vulnerability within 14 days from the initial contact, IARM reserves the right to publicly disclose the vulnerability to ensure awareness and mitigation.
- If IARM receives a response from the vendor, we will notify them of the scheduled date for the vulnerability disclosure.
- The vendor will be given 90 days to provide a patch or relevant fix for the reported issue. Once the patch or fix is released, IARM will disclose the vulnerability immediately to ensure users are informed and can apply the update promptly.
- If the vendor fails to provide a fix within the 90-day period and no further response is received, IARM will proceed with the public disclosure of the vulnerability on the pre-determined disclosure date.
- If the vendor is unable to provide a fix within the 90-day deadline but has communicated their situation to IARM, the deadline may be extended. IARM will allow a maximum coordination period of five months for the vendor to address the vulnerability. After this period, regardless of whether a fix is provided, the vendor will be informed, and the vulnerability will be disclosed publicly.
- The 90-day deadline mentioned above is not a hard deadline. IARM reserves the right to adjust the deadline—either shorten or lengthen—based on factors such as the severity of the vulnerability, the ease of exploitation, and the potential impact on affected users.
- Until the completion of the disclosure process, IARM will maintain the confidentiality of all communications with the vendor. However, we will disclose the vulnerability to the public, post finalization and irrespective of the vendor’s support or not.
- All CVEs assigned by IARM and their vulnerability disclosures will be published in the IARM Security Advisory. Only the advisories listed in the Security Advisory will be considered official documents, ensuring a consistent and authoritative source for all public disclosures.
For the latest news, research, security updates, and information on ongoing projects, please visit https://iarminfo.com/
IARM is always open to feedback and suggestions. If you would like to contact us regarding any security concerns, vulnerability disclosures, or general inquiries, please feel free to email us at [email protected]