Tradecraft's mission is to help organisations to be more secure. We recognise that the premature disclosure of vulnerabilities can be counterproductive to that goal. However, we also believe that organisations can only protect themselves if they are aware of the problems that they have. As such, it's vital that accurate information about vulnerabilities be made public as soon as is reasonably possible.
Where we're able to contact vendors or software authors, we always do so and discuss remediation and disclosure privately. Our goal is to ensure that an update resolving the vulnerability in question is always available prior to its publication.
We may also make contact with other parties, such as users of vulnerable software, industry bodies or government bodies and make them aware of an unpublished vulnerability. In these cases, we ensure that any other party commits to maintaining the confidentiality of the vulnerability until an update is available.
We also recognise that differences of opinion can occur about the seriousness of a given vulnerability, that not all authors are contactable and that not all authors are able or willing to address security issues in a timely fashion. In these cases, we believe disclosure to be the most responsible course of action we can take.
As such, our disclosure policy is as follows. Upon identifying a security vulnerability we will:
This policy is reviewed regularly, and may be changed without notice.