Disclosure Policy

Home > Resources > Disclosure Policy

Spentera Research (SPARC) team conduct vulnerability security research as a form of feedback to the information security community in Indonesia in particular, and the world at large.

This section will outline SPARC team involvement finding vulnerability in public or private information system, applications, and/or network either intentionally or unintentionally. Based on this reason, we set the general terms to be followed by application developers, system administrators, and network administrators when vulnerability found in their product.

Once we have found a vulnerability in another vendor’s products, SPARC team takes a series of steps to address the issue:

  • SPARC team will contact the appropriate product vendor and try to communicate regarding the vulnerability. This communication will be kept confidential between SPARC and appropriate product vendor until the completion of the disclosure process.
  • SPARC team will contact via email.
  • SPARC team will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor. If the appropriate product vendor does not respond within 15 days, SPARC team will also send a notification CERT/CC as well.
  • SPARC follows the 45 days CERT/CC disclosure policy, SPARC and CERT/CC will prepare and work together to publish the detail vulnerability at least 60 days after the first contact attempt.
  • After the disclosure, SPARC will release a security advisory in our blog.

For Indonesia Vendor Only

Note for the appropriate product vendor who located in Indonesia, SPARC team will coordinate with the vendor directly without CERT/CC involvement. The disclosure date will be as follow:

  • SPARC team will contact the appropriate product vendor and try to communicate regarding the vulnerability. This communication will be kept confidential between SPARC and appropriate product vendor until the completion of the disclosure process.
  • SPARC will prepare and work together with the product vendor to publish the detail of the vulnerability at least 60 days after the first contact attempt with the product vendor.
  • SPARC team will disclose the vulnerability if we do not get a response from the product vendor to our initial contact in the first 15 days.
  • SPARC will release the security advisory in our blog.

Further information, you can contact us by email: research<at>spentera<dot>id.

If the you want to contact us using encrypted email in GPG, please download our public key here