• SecureWorks Research
• Counter Threat Unit
• Threat Analyses
• Research Blog
• Newsletter
• Webcasts
• Security Tools
• Articles
• Security

• Home
• Research
• Security Policy

SecureWorks' Responsible Disclosure Policy

As a managed security services provider, we are constantly researching new methods computer criminals could use to break into systems, steal information and cause harm to our clients or their clients. We must be ahead of the criminal – anticipating new threats and developing countermeasures to prevent those threats. In that process, we may discover a vulnerability or a class of vulnerabilities in a technology solution that could create risk for our clients or the general market. When we discover a vulnerability, we will follow SecureWorks’ Responsible Disclosure Policy.

The goals of our Disclosure Policy are as follows:

1. Minimize risks to our clients and to the market
2. Education
3. Contribution to the security community
4. Cooperation with vendor community to understand the vulnerability

SecureWorks believes that it is important to work with technology providers when we find vulnerabilities – giving them an opportunity to patch their systems prior to advising our clients and the public about the vulnerability. This reduces the opportunity for a computer criminal to use information we provide to the public to cause harm although it does not prevent the criminal from discovering the same vulnerability independently.

Our Disclosure Policy guides us in the following stages:

1. Discovery and documentation of the vulnerability
2. Notification to impacted vendor and computer security response teams
3. Collaboration with vendor to fully understand the vulnerability
4. Collaboration with Computer Security Response teams
5. Testing fixes provided by the vendor to validate that the vulnerability has been addressed
6. Advisory release coordinated with vendor

The remainder of our policy provides details about each of the stages outlined above.

1) Discovery and Documentation of the Vulnerability

When a vulnerability is discovered, SecureWorks will prepare documentation that will answer the following questions.

1. What is the vulnerability?
2. Who is the Vendor that ships the vulnerable code?
3. What specifically is vulnerable (what versions of the technology solution that were tested)?
4. Is the vulnerability enabled by default and, if so, on what version of the technology solution?
5. Potential ways that the vulnerability can be exploited?
6. What is the risk to the user community of this vulnerability? Rate on a scale from 1-5 with 5 being high two components: Likelihood and Impact.
7. Is there any “proof of concept” code available to provide the vendor?

2) Notification to Impacted Vendor

Documentation on the vulnerability will be provided to the vendor in addition to any other information that may be helpful. A copy of our Disclosure Policy will accompany the first documentation provided to the vendor. If code is available and would be helpful to the vendor, it will be provided but SecureWorks is not obligated to develop code. SecureWorks is not responsible for verifying whether the vulnerability exists in other versions of the technology solution.

The vendor will be notified using the publicly available contact name or email address that the vendor indicates on their public website. If no contact name is provided, SecureWorks will attempt to contact the vendor via the following email conventions: security@, secure@, security-alert@, secalert@ and support@. The day that the vendor is sent documentation is considered “Day 0” of the disclosure timeline. SecureWorks will expect a response by email from the vendor within 7 days that acknowledges receipt of our notification and identifies a plan to address the vulnerability.

3) Collaboration with Impacted Vendor

It will be most common that communication is established with the vendor and that collaboration begins at this step to help the vendor fully understand the vulnerability. This stage should involve frequent and documented communication with the vendor leading to greater understanding. Communication shall be through company established communication channels between the impacted vendor and SecureWorks.

4) Collaboration with Computer Security Response teams

SecureWorks may disclose the vulnerability to other Computer Security Response teams such as CERT or US-CERT.

5) Testing the Fix Provided by the Vendor to Validate that the Vulnerability is Fixed

SecureWorks will test the fix provided by the vendor to ensure that the fix created addresses the vulnerability discovered. SecureWorks is not responsible for testing platforms other than the platform on which the vulnerability was originally discovered. SecureWorks will be timely in testing the fix provided by the vendor.

6) Advisory Release Coordinated with the Vendor

SecureWorks will prepare an advisory release that discloses the same information provided originally to the vendor (unless facts have changed) as well as the available work-arounds or patches that have been made available by the Vendor or SecureWorks. This advisory will be coordinated with the vendor and will be issued at the time that a fix is available. The advisory release will be written by SecureWorks’ public relations and will be approved by the VP of Research and the CTO of SecureWorks. If it is a newsworthy advisory, key members of the press and analyst community may be contacted prior to the release. Any press contact will be guided by SecureWorks’ Press Policy which is available in a separate document.

 

 

Online Tools

Info Request

*First Name:
*Last Name:
*Company:
*Telephone:
*Email:
*Country:
*State/Province:

Comments