Vulnerability Disclosure Process

Scope

Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA's scope.

Vulnerabilty Submission Process

  • Black Lantern Security will make attempts to contact the product vendor using public communication channels discoverable for the vendor (e.g., Public Web Form, Email Contacts, Social Media Presence, Phone Number)
  • Black Lantern Security will disclose all relevant vulnerability details to the vendor to assist in discovery, validation, and mitigation strategies.
  • Black Lantern Security will retain confidentiality in regard to vulnerability information through the responsible disclosure process, within the agreed upon disclosure window, typically 90 days (Exceptions through critical infrastructure, medical devices).
  • Black Lantern Security will assign a CVE number to the vulnerability if the vendor is not a CNA or does not have an agreed upon timeline for issuance of a CVE by a another CNA.
  • Black Lantern Security will release a public advisory on the Black Lantern Security website after the closure of the responsible disclosure process with accompanying vulnerability details (With exception to critical infrastructure and medical devices).
  • Black Lantern Security will release a public disclosure at an reasonable date (Typically 90 days) if the vendor is unreachable by Black Lantern Security using the previously stated communication avenues or if the vendor becomes unresponsive for more than 30 days.

    • Submit for a CVE

    If you would like to submit for a CVE, you can email us directly at here or you can submit using the form below.


    Learn More About Our Services

    Interested in learning how our services can help you? Drop us a line. We’d love to hear from you.

    Contact