===============================
Vulnerability Disclosure Policy 
===============================

The vulnerability disclosure process consists of the following phases:  

 1. Vendor notification about a vulnerability
 2. A product name published in Security Advisory without additional information (optional)
 3. Public disclosure about a vulnerability / Add details about a vulnerability

Please note that this policy does not apply to vulnerabilities discovered during client 
engagements, which are subjected to Non-Disclosure Agreements.

THE PROCESS OF DISCLOSING A VULNERABILITY 

Binary House will make attempts to establish communication with the vendor's security
team via an encrypted channel (GPG, S/MIME..). Binary House firstly attempts to contact
the vendor through an email address listed on the vendors webpage, that is dedicated to
reporting vulnerabilities or by sending an e-mail to the following email addresses:

 - security@
 - secure@
 - alert@
 - support@
 - info@

If there is no possibility to establish direct communication with the security team, 
the initial contact will be established via the standard customer support. In this 
case, the initial contact may not include any details of vulnerability but will serve
as a method of obtaining the contact.

The affected vendor will be provided with all the necessary details of the discovered
vulnerability. The vendor will be also notified about the planned disclosure date that
is 90 days from the day when the initial contact attempt was made. Should it be the 
case that no response is received from the vendor within 30 days of the initial 
attempt, Binary House will disclose the issue publicly and, where possible, include 
mitigation or remediation guidance.

In the case that the vendor is running out of time but indicates in advance that a fix 
will be published within 14 days following the planned disclosure date, the publication
of the security advisory will be delayed until the patch is available or the expiry of 
the 14 day grace period, whichever occurs first. In the case when the vendor releases
a patch or security advisory prior to the 90 day timeframe, Binary House retains a right
to release an advisory with full technical details and a PoC (if available) prior to 
the planned date of the public disclosure.

Security advisories will be disclosed at the following URL address:
 - https://www.binary.house/en/security-advisories

The public GPG key is available at:
 - https://www.binary.house/binaryhouse.asc


Version: 1.0
Last updated: 19.07.2018