Disclosure Policy

Vulnerabilities in software and hardware that can be exploited from the RF domain create a new frontier that removes the tangible element of the hack. Therefore, wireless threats can be more creative, unique, and serious in this uncharted space. No matter what the scope or magnitude of the vulnerabilities we discover, we strive to be responsible security researchers. We adhere to a strict disclosure process that ensures that all affected parties are kept fully apprised of our findings, with the public benefit as the primary motivator.

Key points:

- Original Research: Vulnerabilities reported by the Research Team are discovered by the Research Team—we do not broker or disclose flaws discovered by a third party.

- Confidentiality: For a period of 90 days following discovery of a vulnerability, all information regarding vulnerabilities, and communications with the vendor, will be kept confidential. Following such period, details of the vulnerability will be disclosed in accordance with this policy.

- Tracking: The public advisory, when published at the appropriate time, will contain a detailed timeline of research and disclosure.

- Timeline: We will disclose details to the public 90 days after initial disclosure to the vendor, regardless of whether a fix has been released. We feel that the public has the right to take responsibility to patch their system. We feel that 90 days is a sufficient period of time to allow a vendor to write, test and deploy a fix.

Once public disclosure has taken place, we will then attempt to activate detection of the vulnerabilities in our product so that our clients can benefit from additional protection and visibility into their RF airspace.

Process:

Our process, which we seek to refine continually as the standard in the IoT world evolves, is as follows:

1. Verification of vulnerabilities: This includes thorough and detailed documentation of how we reproduce the exploit internally, such as hardware and software platforms used, including the types of radios employed (Software Defined, or otherwise). Depending on the product, we will test all affected platforms beyond the initial discovery, and research additional avenues of attack.

2. Careful & secure management of research and Proof-of-Concept exploit code: As certain vulnerabilities can have high impact, we take the management and storage of documents and code related to PoC exploits very seriously. Bastille will always utilize best practices for isolating PoC exploits from the public-facing Internet.

3. Advisories in two forms: Bastille will issue advisories in two forms, the first of which is a detailed vendor document so that affected vendors have the complete information regarding the vulnerability. The goal is to provide the vendor with all of the information they need in order to easily reproduce the vulnerability. We will always make a good faith effort to notify the vendor before making a public disclosure. The second of which is a public document that describes only the essentials, should it be necessary to release before the public disclosure deadline is reached.

4. Request a CVE number: We will request a Common Vulnerabilities and Exposure (CVE) number to make it official through all the relevant channels, including reporting to the CERT Coordination Center (CERT/CC).

5. Initial vendor disclosure through all channels: This includes requesting confirmation of the issue, requesting a comprehensive list of affected platforms, and formulating an appropriate disclosure timeline.

6. Responding in a timely fashion to any requests for clarification from vendors: We expect to work closely with affected parties to ensure they are furnished with the appropriate information and support so the issue can be quickly and effectively patched.

7. Release of the Public Advisory: This will either be a coordinated release with the vendor, or an uncoordinated release following the expiry of the public disclosure deadline if the vendor refuses to acknowledge or fix issue. The release will be accompanied by details to allow for independent reproduction and verification of the vulnerability. This release will occur 90 days following Bastille’s notification to vendors but may be extended at Bastille's sole option, or reduced if the vendor(s) have a fix sooner. We generally provide this information to anyone who we feel can contribute to the solution, including researchers and vendors (often to vendors whose systems are not subject to the vulnerability).

To contact the Research Team, please email: research@bastille.net 

(GPG Key ID: 2E7383A7) - Version 1.2 (02/23/2016)

Fingerprint: 7672 98A7 6B9E 8E3B 40C9  1BED D631 3583 2E73 83A7