New from Ponemon Institute: The State of Offensive Security in 2023. Read the Report ›
Bishop Fox takes security issues very seriously. We are committed to addressing and reporting any identified security issues through a coordinated and constructive approach. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. We adhere to the industry standard 90-day disclosure deadline. We notify vendors and our clients of vulnerabilities immediately, with details shared in public after 90 days, or sooner if the vendor releases a fix before the end of the timeline.
That deadline can vary in the following ways:
CVEs are an industry standard for identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that extend beyond our deadline, we ensure that a CVE has been pre-assigned.
If a vendor is unresponsive, Bishop Fox will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor.
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances. Bishop Fox is committed to treating all vendors equally. This policy aligns with Bishop Fox desire to improve industry response times to security bugs but also results in more flexible timelines for bugs marginally over deadline.
View ongoing Bishop Fox advisories on CVEs our researchers have authored here.
If you would like to report an issue or a security vulnerability in a Bishop Fox asset, please submit it here.