USA: +1 (551) 242-2980 | India: 1800 102 1532 (Toll Free) | Singapore: +65 6677 3658

IARM Vulnerability Disclosure Policy

IARM Vulnerability Disclosure Policy

Our Values 

IARM, a cyber security service provider and research organization, strongly believes that constructive and coordinated disclosure is the best approach to address and fix vulnerabilities. 

We also believe that these contributions to the security community will be helpful to reduce attack surfaces or vectors against diverse and ever-changing threats. 

 

Scope 

IARM’s vulnerability disclosure policy applies to any third-party vendor products for which IARM will assign CVEs for identified vulnerabilities. This applies only if the product is not already covered under the scope of another CNA. 

 

Policy 

Once a security issue is identified, IARM will take the following steps to notify the respective parties and facilitate its resolution: 

  • Once a vulnerability is confirmed, IARM will gather all the necessary information, including technical details, impact assessment, and proof of concept (if applicable), to effectively communicate the issue to the affected party. 
  • IARM will establish initial contact with the affected vendor via email, providing detailed information about the vulnerability along with all supporting documents. 
  • If IARM does not receive a response from the vendor within seven days of the initial email, a follow-up reminder will be sent. If the vendor still does not respond or refuses to acknowledge the vulnerability within 14 days from the initial contact, IARM reserves the right to publicly disclose the vulnerability to ensure awareness and mitigation. 
  • If IARM receives a response from the vendor, we will notify them of the scheduled date for the vulnerability disclosure. 
  • The vendor will be given 90 days to provide a patch or relevant fix for the reported issue. Once the patch or fix is released, IARM will disclose the vulnerability immediately to ensure users are informed and can apply the update promptly. 
  • If the vendor fails to provide a fix within the 90-day period and no further response is received, IARM will proceed with the public disclosure of the vulnerability on the pre-determined disclosure date. 
  • If the vendor is unable to provide a fix within the 90-day deadline but has communicated their situation to IARM, the deadline may be extended. IARM will allow a maximum coordination period of five months for the vendor to address the vulnerability. After this period, regardless of whether a fix is provided, the vendor will be informed, and the vulnerability will be disclosed publicly. 
  • The 90-day deadline mentioned above is not a hard deadline. IARM reserves the right to adjust the deadline—either shorten or lengthen—based on factors such as the severity of the vulnerability, the ease of exploitation, and the potential impact on affected users. 
  • Until the completion of the disclosure process, IARM will maintain the confidentiality of all communications with the vendor. However, we will disclose the vulnerability to the public, post finalization and irrespective of the vendor’s support or not. 
  • All CVEs assigned by IARM and their vulnerability disclosures will be published in the IARM Security Advisory. Only the advisories listed in the Security Advisory will be considered official documents, ensuring a consistent and authoritative source for all public disclosures. 

For the latest news, research, security updates, and information on ongoing projects, please visit https://iarminfo.com/ 

IARM is always open to feedback and suggestions. If you would like to contact us regarding any security concerns, vulnerability disclosures, or general inquiries, please feel free to email us at [email protected] 

We are using cookies to give you the best experience. You can find out more about which cookies we are using or switch them off in privacy settings.
AcceptPrivacy Settings

Iarmlogo

  • We Value your Privacy
  • Necessary
  • Functional
  • Analytics
  • Performance
  • Advertisement

We Value your Privacy

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. 

The cookies that are categorized as “Necessary” are stored on your browser as they are essential for enabling the basic functionalities of the site. 

We also use third-party cookies that help us analyze how you use this website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent. 

You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.” 

Necessary

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. 

Functional

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features. 

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc. 

Performance

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors. 

Advertisement

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.