As a provider of security solutions, services, and research, Zafran takes security issues very seriously. It is our policy to work and coordinate with other vendors with regards to discovered vulnerabilities, with the intention of keeping users and customers safe. This document will share our process for disclosure.
Outreach
Zafran will reach out to the impacted vendor, vendors, or other, through the appropriate contact method to notify them of the existence of a discovered vulnerability with regards to their product or service offering. If a vendor did not publish a designated security contact on their website, Zafran will attempt to contact relevant contacts and will email “security@” mailbox. When a secure method of communication is provided from the vendor(s) or other, Zafran will share its findings. To ensure contact is made, Zafran will make multiple, documented attempts to contact the vendor(s) or other, either directly or through third parties.
If no response is received from the impacted vendor(s) or other within two weeks, Zafran may choose to release the findings publicly in order to notify and/or protect the greater public.
Response Time
Zafran will do its best to work with the appropriate vendor(s) or group over a 90-day time period to address the vulnerability with a patch. We will provide additional information, as well as assistance, to ensure the security issues identified is verified and resolved. At the end of the 90-day period, or before, in a case where the issue is resolved, Zafran may publish its findings in order to notify and/or protect the greater public.
With any security issue, we recognize that it may take longer than 90 days to address the security issues. In these circumstances, we will work with the vendor(s) or group on a case-by-case basis.
Other Parties
Zafran reserves the right to discuss and disclose any discovered vulnerability with other parties or security vendors if we deem it is in the greater interest of providing a better overall response. Any such disclosure will be made responsibly, and the other party or security vendor must ensure proper action and disclosure should they take any action.
Zafran will publish any security findings on its website and other locations, as deemed appropriate and responsible.
Anyone wishing to reach out to Zafran regarding a security vulnerability may do so at security@zafran.com.