Vulnerability Disclosure Policy
Black Lantern Security (BLSOPS LLC) is committed to coordinated, transparent vulnerability disclosure. The process below describes how we report vulnerabilities we discover in third-party products and how external researchers can submit CVE requests to us.
Scope
Vulnerabilities in vendor products discovered by BLSOPS, or related parties, while performing vulnerability research or security assessments, unless covered by another CNA's scope.
Vulnerability Submission Process
- Black Lantern Security will make attempts to contact the product vendor using public communication channels discoverable for the vendor (e.g., public web form, email contacts, social media presence, phone number).
- Black Lantern Security will disclose all relevant vulnerability details to the vendor to assist in discovery, validation, and mitigation strategies.
- Black Lantern Security will retain confidentiality regarding vulnerability information through the responsible disclosure process, within the agreed-upon disclosure window (typically 90 days, with exceptions for critical infrastructure and medical devices).
- Black Lantern Security will assign a CVE number to the vulnerability if the vendor is not a CNA or does not have an agreed-upon timeline for issuance of a CVE by another CNA.
- Black Lantern Security will release a public advisory on the Black Lantern Security website after the closure of the responsible disclosure process with accompanying vulnerability details (with exception to critical infrastructure and medical devices).
- Black Lantern Security will release a public disclosure at a reasonable date (typically 90 days) if the vendor is unreachable using the previously stated communication avenues or if the vendor becomes unresponsive for more than 30 days.
Submit for a CVE
If you would like to submit for a CVE, you can email us directly at cves@blacklanternsecurity.com or you can submit using the form below.