Moabi Disclosure Policy

Our vulnerability disclosure process

Last update: 23 of April 2020

Purpose of the Moabi Disclosure Policy

Security is our first value. This document specifies how vulnerabilities discovered on the Moabi platform will be handled and reported to software manufacturers, Moabi users and the general public. This document also serves as mean to reassure software vendors that there is a formal process to report vulnerabilities at Moabi.

Moabi disclosure policy

When the Moabi team discovers a vulnerability, or one of its clients discovers a vulnerability and asks Moabi to handle the disclosure for them (bugs discovered on the platform by our clients are their intellectual properties, and we cannot force them to release them unless they chose to), a detailed report of the security analysis performed is sent to the vendor, along with suggestions on how to remediate the problems discovered. This first contact will be done by email.

If the vendor fails to acknowledge the report after five (5) business days, Moabi may decide to report the vulnerability through an established CERT as an intermediary party. It is worth noticing that those CERTs typically have their own disclosure timelines (see the US Cert disclosure policy). After this initial five (5) days period, irrelevant of whether the vendor chose to collaborate with Moabi towards a fix or not, Moabi may choose, at any time, to inform a CERT of the existence and technical details of the vulnerability, in order to facilitate a synchronize disclosure.

If an answer from the vendor is received by Moabi within the five (5) days timeframe from the initial reporting, Moabi will give the vendor a period of ninety (90) days to address the vulnerability. After this ninety (90) days period, Moabi will release the details of the vulnerability publicly in the form of an advisory, in order to inform the general public of the existence of this vulnerability.

Because we acknowledge the need for more time to address more complex vulnerabilities, Moabi may decide to extend this initial ninety (90) days period, typically at the vendor’s request, on a case by case basis. When this happens, Moabi will report it in its final advisory in order to maintain transparency.

The security of our users, systems, clients and of the greater internet is our first purpose. Moabi is committed to provide the technical assistance at its disposal to help vendors fix their software, in good faith.

When a vulnerability is made public at the end of the ninety (90) days grace period, an advisory will be made public on its website and on selected mailing lists.