Censys believes that timely, coordinated disclosure of vulnerabilities is in the best interest of the public and impacted parties. Censys may discover vulnerabilities during the course of research from our security research team.
When a vulnerability in a subscriber of Censys’ products or services is discovered, Censys will privately disclose the issue to the impacted party, within the affected client’s workflow. In the event that a new vulnerability is discovered during the course of security research, Censys will coordinate with the vendor along with CERT/CC if necessary, using the workflow outlined below.
Responsible Disclosure Workflow
- Censys will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
- Censys will attempt to contact the appropriate product vendor by email.
- Censys will provide the vulnerability details to the vendor.
- If further coordination is required, Censys will send a notification to CERT/CC within 15 days after the first attempt at contacting the vendor.
- Censys will prepare and publish an advisory detailing the vulnerability at least 60 days (maximum of 90) after initial attempts at disclosure at stage #2 above, barring extenuating circumstances. This advisory will be made available to the general public via Censys’ blog and social media. Depending on the impact, Censys may coordinate with interested parties in the media.