Process for Reporting Vulnerabilities
When Pentraze identifies a security issue in a third-party vendor's product or service, the following steps are taken:
- Initial Vendor Contact (Day 0)
- - Reach out to the vendor to inform them of the vulnerability.
- - Assign a CVE ID if the vendor is not a registered CNA.
- - Log the vendor's name and the report date on Pentraze's vulnerability tracking platform.
- Follow-Up Communication (Day 7)
- - Send a second notification if there's no acknowledgment from the vendor.
- - Notification of Impending Disclosure (Day 45).
- - Send a courtesy reminder to the vendor, including the planned report release date.
- Final Reminder (Day 60)
- - Send a last reminder if the vendor remains unresponsive or communication ceases.
- Disclosure (Day 90)
- Publish a comprehensive report on Pentraze's vulnerability tracking website.
- In cases where the vendor releases a patch or mitigation before Day 90, the report will be published immediately after the vendor's release.
- Request CVE publication from MITRE.