Handling the results of our work in a responsible way is our highest priority. We‘ve taken a long, hard look at what this means for our behavior.
We use a well-structured model of responsible disclosure to report vulnerabilities in standard products that have not been developed by our client itself, and the publication of which has not been prohibited by contractual obligations. This written report is strictly confidential and enables the manufacturer to comprehend and to further investigate the vulnerability with the aim of eliminating it.
We reserve the right to publish the vulnerability once the developer has provided a solution; or 60 days after we have informed the developer. The latter applies regardless whether the developer has already provided a patch or a workaround at this particular time. We will only depart from this procedure if another approach has been shown to reduce the risks incurred by all the concerned parties.