Login

Register

Login

Register

#cybersecurity | #hackerspace |

ProtonMail’s responsible vulnerability disclosure policy


Our mission at ProtonMail is to make online safety accessible to everyone. Millions of people depend on our products to secure their communications and keep their information private.

In order to make this high level of security accessible to all Internet users, we must work to integrate ProtonMail seamlessly with third-party products, from web browsers to mobile devices. Occasionally we find security flaws in these products that can be exploited by attackers, putting at risk the privacy and security of ProtonMail users. As any technology can contain bugs, it is the responsibility of the developer community to work together cooperatively to discover, responsibly report, and patch vulnerabilities in a timely manner.

This document describes our policies for vulnerability disclosure when we find flaws in other products and services. When developers find vulnerabilities in our products, we have an established process for reporting these: You can learn more by visiting our ProtonMail Bug Bounty program and ProtonVPN Bug Bounty program.

What we do when we discover a vulnerability

When we find a bug in a third-party product, we reach out directly to the vendor and describe the issue in detail. We follow the vendor’s vulnerability disclosure process whenever possible. 

Along with our bug report, we notify the vendor that we follow the industry standard of 90 days for publicly disclosing vulnerabilities to the security community. If the vendor has made a good faith effort to resolve the issue and has indicated its intent to release a patch soon, we may extend this deadline by 14 days. However, if the vulnerability is actively exploited (0-day) we may reduce the public disclosure grace period to seven days to protect users.

Oftentimes, if we understand the problem well, we may propose bug fixes or work with the product’s developers to resolve the issue. Our primary goal is to make the Internet safer, so we’re happy to collaborate toward a solution.

Summary

When ProtonMail discovers a new vulnerability in a third-party product:

  1. We inform the affected vendor, and all information is kept confidential for 90 days. 
  2. We publicly disclose the information after 90 days if we have not received feedback.
  3. If the vendor requests an extension, we publicly disclose the information after 104 days.

How to reach our security team

If you want to get in touch with us regarding a vulnerability affecting our services or products, please send a message to security@protonmail.com. (You may also use the PGP key for this address, which can be found at the bottom of our Security Details page.) We will reply to you within one business day.

Best Regards,
The ProtonMail Security Team

The post ProtonMail’s responsible vulnerability disclosure policy appeared first on ProtonMail Blog.

*** This is a Security Bloggers Network syndicated blog from ProtonMail Blog authored by ProtonMail Blog. Read the original post at: https://protonmail.com/blog/responsible-vulnerability-disclosure/



Source link

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW