Image

External Vulnerability Disclosure Policy

Home External Vulnerability Disclosure Policy

 

 

Introduction

At Trinity Cyber Security (Trinity), we are committed to improving cybersecurity for all by identifying and responsibly disclosing vulnerabilities in third-party products, systems, and services. Our goal is to help vendors address security weaknesses efficiently while maintaining ethical and professional standards.

 

Scope

This policy applies to any vulnerabilities identified by Trinity in third-party software, hardware, infrastructure, or services. We follow a structured and responsible disclosure process to ensure security issues are mitigated in a timely and coordinated manner.

 

Responsible Disclosure Guidelines

When we identify a vulnerability, we will:
 

  1. Privately Notify the Vendor: We will contact the affected vendor through their designated security contact, disclosure program or publicly available contact details.

    2.  
     

  2. Provide Detailed Information: We will include a comprehensive report with details of the vulnerability, steps to reproduce it, potential impact, and any suggested mitigations.

    3.  
     

  3. 90+30 Disclosure Deadline Policy: Trinity follows a 90+30 disclosure deadline policy, which means that a vendor has 90 days after Trinity notifies an organisation about a security vulnerability to make a patch available to users. If they make a patch available within 90 days, Trinity will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.

    4.  

  4. Maintain Confidentiality: We will keep the details of the vulnerability confidential until the vendor has remediated the issue or the disclosure timeline has passed.

    5.  
     

  5. Collaborate as Needed: We are open to working with vendors to validate fixes and assist in remediation efforts if requested.

    6.  
     

  6. Public Disclosure Consideration: If the vendor does not acknowledge or act upon the report within the given timeframe, we may disclose the vulnerability to the public in the interest of security, following industry best practices.

 

 

Communication Process

To report a vulnerability to a vendor, Trinity will:
 

  1. Identify and contact the vendor’s security team through an official channel.

    2.  
     

  2. Share a structured vulnerability report, including proof-of-concept details if necessary.

    3.  
     

  3. Engage in professional dialogue to support the vendor in understanding and resolving the issue.

    4.  
     

  4. Track progress and follow up as needed to ensure timely resolution.

    5.  

 
 

Recognition & Public Disclosure

We believe in transparency and responsible security practices. If a vendor wishes to acknowledge our contribution, we welcome public recognition. However, our primary goal is to ensure vulnerabilities are resolved before any public discussion.
 
 

Policy Updates

We may update this policy as necessary to reflect evolving best practices. We encourage vendors and stakeholders to review this policy periodically.
 
 
Trinity Cyber Security Security Team