Contact Us

Responsible Disclosure Policy

Introduction

At McAiden, our commitment to cybersecurity leads us to engage in rigorous vulnerability research and security assessments. In the course of these activities, we might identify security vulnerabilities within both proprietary and open-source software products. Recognizing the critical importance of these findings, we aim to responsibly share relevant information with the affected product vendors, our clientele, and the broader cybersecurity community. Our primary objective is to mitigate the risks associated with the disclosure of such vulnerabilities, ensuring that they are addressed in a manner that minimally impacts the involved parties. This Responsible Disclosure Policy outlines the essential procedures and timelines that are to be adhered to for the effective resolution of identified security concerns prior to any public dissemination of information.

90-day Disclosure Deadline Policy

In alignment with industry best practices, notably adopted by leading entities such as Google, McAiden enforces a 90-day disclosure timeline. This policy stipulates that upon notification of a security vulnerability by McAiden, vendors are granted a period of 90 days to develop and deploy a remedial patch for their users. Subsequent to the availability of the patch, McAiden reserves the right to publicly disclose the details of the vulnerability.

For instance, should a vendor address a reported security flaw on the 47th day following our notification, McAiden would proceed to publicly share the vulnerability specifics no earlier than the 48th day. Conversely, in scenarios where a vendor fails to remediate the identified issue within the stipulated 90-day window, McAiden will proceed with a public disclosure upon the lapse of this period.

In-the-wild vulnerabilities

Our policy adapts in situations where there is concrete evidence to suggest that a vulnerability is actively being exploited against users in real-world scenarios. In such cases, the standard 90-day disclosure framework is substituted with an expedited 7-day disclosure protocol to promptly address the imminent threat posed by the exploitation of the vulnerability.

Mutually Agreed Early Disclosure

McAiden acknowledges that certain circumstances may warrant an earlier disclosure of vulnerability details than what is outlined in our standard policies. In such cases, McAiden is open to reaching a mutual agreement with the concerned vendor to advance the disclosure timeline. This approach is contingent on a collaborative discussion between McAiden and the vendor, ensuring that any early disclosure is executed with due consideration for the potential implications.

Mutual Agreement Exception

At any point, if the vendor is actively working on a fix but requires more time, McAiden and the vendor can mutually agree to extend the disclosure deadline. Such an extension would be based on transparent communication about the efforts being made to address the issue and a reasonable timeline for the fix. Typically, extension periods might range from an additional 30 to 60 days, but they can be shorter or longer based on the specific circumstances and the negotiations between McAiden and the vendor.

Disclosure Timeline Summary

The followin key is McAiden Research Lab’s PGP public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGYNWDMBEADTFUnWIQ0nCxHkPReyRzbwqSM0B37/3lKmfJ/gYC5Jy/CYaAK1
blux7Xs0GMxBPYmcIjLl60DAQgs1aI8nAKtFuCzPt8q/AunIahx5wjC0zu6faVfD
CDpkNier0cHYWsKXw76mFvSEGjWPBLz2qmETG872pFdbYp8qCyq0NtD74BMxvhGU
OA7Y5A9N0bCBwz5BuKCxW6Ptw2mjwVTdDMBipC6rofrJM+P6iB4CX6sHpHPM1ygJ
niFK86l+X9bAJobg33fE/crfNi6Ji82aLGF2Wh0TTYI94Gyh26vk/yJdJL5sXH2j
pB2gkJVbqvcs8yry9zoPMIO6GYR00vmN0K7TSZNXYjkEy42FEl45w+wTiUdq6JA+
SqzK0guyUC5jPHIYX4cKnBj99eUHX7sKPZMUWnkeHIHB9UOqsC7IPaIPpQT++yAd
tfDB91BPvGB0aMwl+r4ZOk3Pk0C9ONPyfgHG3gSWsEpPta5T3ME3f8Xye5q1/GTj
8FaZziF7+joKFpNqNuQCUPhhVrCKt+Xj67KnQfSYeynK21GBHmv3TMFSOM6RO5NM
YzRcg4r+eiJkMhMF6sxlSiMjHbJJEwFxRVYB3hmFiZv89KLbXIB7+ykwhlHfXwGG
8Wxx/mz/2cFIo74YPvURk4xERubAPYmxTBTPLFSoquZ0EWkndyWd7tro3wARAQAB
tC5NY0FpZGVuIFJlc2VhcmNoIExhYiAyMDI0IDxvZmZpY2VAbWNhaWRlbi5jb20+
iQJXBBMBCABBFiEEMeZyTy2P9S7dBpscm+avXMgWOHAFAmYNWDMCGwMFCQWjmoAF
CwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQm+avXMgWOHBqdw/8Cxi+JTC3
sEWcaE6ydV/l0/amtGXgFOqb5MzQFZb/yf35PIJFYTREnurkaSO8/arTBXY98LfI
wuwXemIF7xc/wSlHKZwQz+J2kgOEvSHrnagJFMAO5gK8UAfhAm9lK9ovqi46OiOc
gcgnPgiPc2AttbcSkfvvyFeSUpLgwrfZKsOO4h4oVaDssI5yl7eHmbn8NQ9gvv7s
qLV4QIh6h59OQC/+jHa/+TjKqBLgnj2B7JCGZ1m1VvDN6bSNT3j/hYvmY6AAYu7G
xKhZyg6MjXtTcWOV/5HCOl15oXjndX2jQucAGw6IUaSyHjSuY6wM4zJH4o2nslU1
Ii85/GO+9XuvJrVv6UK3xCPMOlxagmbZnUAe0v9DEi/kz9ATGvQf7LaJ+15Ayhg/
awahNRwFgvKnG703LSJRgfKLHRBE1PBzGXmot4+ApODaP8SXAy9jEqm3OpCl2CIn
PP/1A2M5e5F+iIoaZNX9RJ97lE3RJXWGQqk7o3oT2ylun3Y7XG0tU1JbGCG/lJgl
7ckh24nRflUON+j/pa6rdjHPYkFYDBA0d1j1Jx5KppermqR7HFmfB4lk+RA7AyBu
6+L0xdPrM4Dgm4QVB3m6hWiHs+5RMQKlqGCr+NbZnf8TSeL7sDdGr+5vOggusj62
StUPWzyQlPhjrCfjzzIPJsIkBPL9YJPu6CI=
=OSwV
-----END PGP PUBLIC KEY BLOCK-----