Disclosure Policy

devWerks strongly believes that a coordinated disclosure is the best approach to properly and efficiently address a vulnerability and thus protect a vendor's customers.

  1. If no security contact is known for the vendor, an e-mail requesting the security contact e-mail address may initially be sent to certain public e-mail addresses associated with the vendor.
  2. When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a preset disclosure date (usually set to a Wednesday two weeks later).
  3. If the vendor does not respond to the initial mail within a week, it is resent.
  4. If no response has been received at the day of the preset disclosure date, the vulnerability information is published immediately without further coordination attempts.
  5. If the vendor responds to either the initial mail or the resent mail, a new disclosure date may be set in case the vendor cannot meet the preset date.
  6. devWerks expects vendors to provide continuous status updates on the progress. If none are provided by default, the vendor will be contacted about once a month with a status update request.
  7. Should the vendor not respond to two consecutive status update requests, a mail is sent to the vendor advising that the vulnerability information will be disclosed a week later if no response is received. Has no response been received by this date, the vulnerability information is immediately published without further coordination attempts.