General Information and Purpose
1.1 Vulnerabilities and security weaknesses described in HTB Security Advisories are discovered by High-Tech Bridge Security Research Lab, a unit of the Research & Development department of High-Tech Bridge SA.
1.2 HTB Security Advisories are provided for free, on an 'as is' basis, in accordance to our corporate social responsibility, with the aim of helping various software vendors improve their products' security.
1.3 High-Tech Bridge Security Research Lab reserves the right to select products at its discretion. Due to limited resources we do not accept external requests to review security of a particular product.
2.2 To minimize the potential harm of a malicious usage of our advisories, Proof-of-Concept (PoC) code is typically designed to only demonstrate the vulnerability, and not to perform a complete vulnerability exploitation.
3.1 Vulnerability notification is sent by email to the Security Contact publicly provided by vendor. If Security Contact is unavailable or unknown, vulnerability notification is sent via on-line forms and to the list of emails provided in section 6 of the Vulnerability Disclosure Framework.
3.2 The notification email contains all available information about the vulnerability, PoC code, proposed Public Disclosure date (3 weeks after the notification), and instructions how to communicate with us.
3.3 Following the vulnerability notification vendor can request to delay the proposed Public Disclosure date, in order to have more time to evaluate the issue, release a security patch, and notify end-users in advance.
3.4 If vendor does not provide any feedback within 7 days since the initial notification - secondary notification is performed. In this case, the vendor is also contacted by other available means (e.g. social networks, product forums, etc) and requested to provide a Security Contact.
4.1 General information, such as advisory ID and vulnerable product name, are published on High-Tech Bridge's website the same day as vendor notification.
4.2 CVE Identifiers are included in our security advisories, ensuring that the security community benefits by having CVE Identifiers as soon as the issue is announced. CVE Identifier (CVE Reference) is published: (a) on public Disclosure Date; (b) when CVE Identifier is publicly provided by a third party.
4.3 Vulnerability details and PoC code are disclosed on Public Disclosure date proposed in the initial notification email, or on the Public Disclosure date requested by vendor.
4.4 Public Disclosure date will remain the same as proposed in the initial notification email if:
- vendor agreed with it or didn't request to move it
- vendor didn't provide any feedback for a 14 days period since the secondary notification.
4.5 Vulnerability details may also be disclosed before the Public Disclosure date in case of a vendor or a third-party publishing detailed information or an exploit for the same vulnerability independently discovered by High-Tech Bridge Security Research Lab.
4.6 Any published advisory may be modified for a variety of reasons, such as interactions between vendors and High-Tech Bridge Security Research Lab. Any significant updates such as the availability of a solution or addition of a PoC will be noted in the advisory.
5.1 Each vulnerability in an advisory has a CVSSv2 Base Metric score assigned by High-Tech Bridge Security Research Lab. In case of multiple vulnerabilities of the same type the highest metrics is displayed.
5.2 Each security advisory has a risk level assigned, based on CVSSv2 Base score of vulnerabilities described in the advisory. Four different risk levels are listed below:
- Low: Base Score 0.0-3.9
- Medium: Base Score 4.0-6.9
- High: Base Score 7.0-8.9
- Critical: Base Score 9.0-10.0
If advisory contains multiple vulnerabilities of different risk levels the highest risk level is displayed.
- Low: Base Score 0.0-3.9
Disclosure Policy Modification
6.1 Current document can be modified. Any modifications will be posted.
6.2 Current document was last updated on: July 17, 2013 [Changelog].
7.2 We will not provide any detailed information about vulnerabilities to any third-parties, except a CVE Numbering Authority, before the Public Disclosure date.
7.3 We will not reply to anonymous emails. Vendors should be sure to contact us from an address that is publicly linked to the project on the vendor's home page.