Coordinated Vulnerability Disclosure Guidelines
At HideVPN.org, we understand the critical importance of security in the digital world, especially when it comes to VPNs and technology products. We recognize that all technologies, including those we review and discuss, can contain security flaws. Therefore, we believe in the value of good-faith security research and the responsible disclosure of vulnerabilities.
Our Approach to Vulnerability Disclosure
Prioritizing Safety and Security:
Our primary concern is the safety of companies and their users who rely on these technologies. We aim to contribute to cyber threat prevention and mitigate potential damage.
Responsible Disclosure Process:
When we discover a new vulnerability, our first step is to attempt to contact the entity responsible for the technology. We provide them with:
- A detailed report of the vulnerability.
- A suggested timeframe for patching the issue, typically a 30-day grace period, unless a shorter period is agreed upon.
- An offer of additional assistance or an extended grace period for complex vulnerabilities, up to a maximum of 120 days from the initial disclosure.
Engaging with CERT:
If the responsible entity is unresponsive, we reach out to the local computer emergency response team (CERT) for assistance in making contact and facilitating the patching process. This approach is also taken when the owner of the technology is unknown.
For sensitive information exchanges, we recommend and prefer using encrypted communication channels to ensure confidentiality and security.
Our general policy is to publish our findings once the issue has been resolved. In situations where vulnerabilities remain unaddressed, we still consider it in the public interest to report on these risks. However, we take great care to:
- Avoid sharing information that could enable bad actors to exploit the vulnerability.
- Notify the company or owner prior to publication, offering them the opportunity to comment on the issue.
Your Role in Vulnerability Disclosure
We encourage security researchers, readers, and tech enthusiasts to report any vulnerabilities they discover in the technologies we review. When doing so, please adhere to the following guidelines:
- Provide a clear, detailed description of the vulnerability.
- Refrain from exploiting the vulnerability beyond what is necessary to demonstrate its existence.
- Do not disclose the vulnerability to the public or third parties before it has been addressed.
If you have identified a vulnerability in a product or service we have reviewed, please contact us at INFO@hidevpn.org. We appreciate your efforts in making the digital world a safer place.