Part of the RatioSec Research activity is focused on vulnerability hunting. As professionals working in the security scene, we take security issues very seriously and recognize the importance of providing a coordinated and reasonable disclosure policy.

Disclosure Policy

The goal of the policy is to balance the interests of the community to be informed of security vulnerabilities with vendors' need for time to respond effectively.

Once RatioSec discovers a vulnerability in another vendor’s products, it writes an advisory containing the vulnerability information, and it takes a series of steps to address the issue. Until the completion of the disclosure process, the advisory will be kept confidential.

  1. RatioSec will attempt to contact the appropriate product vendor by email.
  2. The vulnerability details will be provided to the vendor, along with a preset disclosure date, usually set to a Wednesday two weeks later.
  3. If the vendor responds and provides status update, we are ready to postpone the date, for no more than 6 months. The advisory will be published once the fix is released.
  4. If the vendor fails providing the status update, it does not intend to fix the issue, or the set date has passed, the advisory will be published.