We operate a responsible disclosure policy wherein we will attempt to contact any and all organisations whenever we discover a vulnerability in one of their products or services. The purpose of disclosing the vulnerabilities responsibly is to give the organisation the opportunity to fix any vulnerabilities discovered before the public is made aware.
If we do not receive a reply from the organisation about the vulnerabilities discovered, we will attempt to make make contact several more times across various media platforms.
However, if we do not receive a reply within 30 days of initial contact, we will publicly disclose all relevant details of the vulnerabilities in a report. The report may or may not include recommendations on how to fix the vulnerabilities.
If we do receive a reply from the organisation, we will delay all publications of the vulnerabilities discovered for up to 90 days to allow the organisation sufficient time to develop and distribute security fixes.
We will also take great effort to work with the organisation to help them to understand and fix the vulnerabilities disclosed, upon their request.
After the 90-day period has elapsed or at the point when fixes have been made available - whichever is sooner - we will publish a report on the vulnerabilities discovered, the timelines for the fix and any other relevant details.