Bonsai Information Security - Vulnerability Research

Bonsai Information Security
Vulnerability Disclosure Policy

This policy outlines how Bonsai handles responsible vulnerability disclosure to product vendors, security vendors and the general public.

Bonsai will responsibly and promptly notify the appropriate product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to [email protected], [email protected], [email protected], and [email protected][vendor].com with the pertinent information about the vulnerability. Simultaneous with the vendor being notified, Bonsai may request a CVE vulnerability number to MITRE.

If a vendor fails to acknowledge Bonsai's initial notification within five business days, Bonsai will initiate a second formal contact. If a vendor fails to respond after an additional three business days following the second notification, Bonsai may rely on an intermediary to try to establish contact with the vendor. If Bonsai exhausts all reasonable means in order to contact a vendor, then Bonsai may issue a public advisory disclosing its findings fifteen business days after the initial contact.

If a vendor response is received within the timeframe outlined above, Bonsai will allow the vendor a reasonable period of time to develop a fix to the identified vulnerability. Bonsai will use its discretion to determine what constitutes a "reasonable period of time" for a vendor fix to be developed on a case-by-case basis. Bonsai will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Bonsai will offer to work with that vendor to publicly disclose the flaw with some effective workarounds or mitigation plans. In no cases will an identified vulnerability be "kept quiet" because a product vendor does not wish to address it.

Bonsai will formally and publicly release its security advisories on its Web site and on selected security mailing list outlets and databases.