Disclosure Policy

Home > Resources > Disclosure Policy

In addition to involvement in the business of information security, Spentera also doing research to provide feedback, a different point of view, or just another security vulnerabilities advisory.

This section will outline Spentera Vulnerability Research Team (VRT) involvement in finding vulnerability in information system, applications, and/or network either intentionally or unintentionally.

Based on this reason, we set the general terms to be followed by application developer when vulnerability found in their application.

Initially, Spentera VRT will endeavor to contact the application developer and ask if developers are willing to follow our vulnerability disclosure policy.

  • If the application developers do not respond within 5 days, Spentera VRT will forward the security issue to local CERT (Computer Emergency Readiness Team) or CSIRT (Computer Security Incident Response Team), for example if the application developer is in the United States, we will forward the issue to CERT/CC ; JP-CERT for Japanese, MyCERT for Malaysia, and etc. List of CERT and CSIRT from all over the world can be found here.
  • If the application developers agree and respond our effort, the process will continue until both parties agree to disclose the issue to the public.
  • If the developers do not agree to the term of our vulnerability disclosure policy, Spentera VRT will forward the issue to the responsible CERT/CSIRT where the application developers are located within 15 days.
  • If the issue is accepted by CERT/CSIRT, Spentera will work with CERT/CSIRT to disclose the issue.