As part of our activities, OTORIO LTD. (the “Company”) occasionally identifies security vulnerabilities in third-party products or software. Our primary concern is to report these security vulnerabilities to the affected parties and assist in the development of solutions.
We believe it is both our professional and social responsibility to ensure security vulnerabilities are made publicly available to assist developers, vendors, and the security community in defending against the threat and implementing effective mitigations.
Upon identifying vulnerabilities, we will promptly disclose all relevant information regarding a security vulnerability to the affected party by email or any other appropriate contact available at the affected party’s website. If our efforts to contact the affected party remain unanswered, we may proceed with public disclosure within 3 months (90 days) after the initial contact.
The initial disclosure to the affected party will generally describe the vulnerability, state the disclosure deadline and our intention to publish the vulnerability information and to the extent available associated mitigations.
Upon receiving a response from the affected party, we allow a period of 3 months (90 days) from the initial contact attempt to address the vulnerability with a security patch or mitigation guidance. In extreme cases, we may consider a 30-day extension at our discretion for affected party facing challenging circumstances that require a delay in publication. However, if we confirm that the reported vulnerability is actively exploited, due to the urgency and risk posed, we may release an expedited public disclosure and grant the affected party 48 hours (2 days) to address the issue.
A public disclosure shall be released after the receipt of a written confirmation from the affected party that the vulnerability has been addressed, or the above deadline expired and the affected party has not responded or provides a reasonable explanation for not addressing the vulnerability or is unable or chooses not to address the vulnerability.
However, our preference is coordinated disclosure, where both the affected party and the Company publish advisories on a mutually agreed-upon date. This benefits the community by simultaneously providing them with the official vendor advisory and our advisory containing unique security expertise.
Any public disclosure made by Company will include strictly limited information on the vulnerability and focus on context, impact, and to the extent available associated mitigation. We consistently refrain from sharing sufficient information to exploit a vulnerability and prevent easy misuse by malicious entities while raising awareness about the vulnerability and guiding the community in appropriate actions.
Following public disclosure, the Company will provide a summary of the disclosure timeline and communications with the affected parties. Company disclosures will be publicly released on Company’s website. Only entries listed on the website should be considered official Company disclosures.