This policy explains how Verichains handles responsible vulnerability disclosure to vendors, customers, security vendors, and the public. Verichains will notify the relevant vendor of any security flaw in their product or service promptly and responsibly, through appropriate contacts or formal mechanisms listed on the vendor website or by email. At the same time, Verichains may distribute protection filters to its customers through approved channels.
If a vendor fails to respond to Verichains' initial notification within five business days, Verichains will make a second formal attempt to contact the vendor. If the vendor does not respond after an additional five business days following the second notification, Verichains may rely on an intermediary to establish contact. If Verichains exhausts all reasonable means to contact the vendor, it may issue a public advisory disclosing its findings fifteen business days after the initial contact.
In the event that a vendor responds within the specified timeframe, Verichains will allow the vendor 4 months (120 days) to address the vulnerability with an appropriate security patch or corrective measure. If the vendor fails to respond or provide a satisfactory explanation as to why the vulnerability is not fixed, Verichains will issue a limited advisory including mitigation measures to enable the defensive community to protect the user. Verichains believes that these actions will encourage the vendor to fulfill their responsibility to their customers and respond appropriately. Verichains may grant extensions to the 120-day timeline in exceptional circumstances, at its sole discretion.
For vulnerability disclosures resulting from an incomplete or faulty security patch, Verichains will follow a tiered disclosure timeline. For Critical-rated bugs where active exploitation is detected or imminent, vendors will have 30 days to produce a new security patch or corrective measure. For Critical- and High-severity vulnerabilities where the original patch provides some protection and exploitation is not imminent, vendors will be given 60 days to disclose. All other reports in this category will have a 90-day disclosure window. For more information on this part of our disclosure policy, please refer to our blog.
Verichains follows a responsible vulnerability disclosure policy to ensure that security flaws in products or services are addressed in a timely and transparent manner. If a vendor is unable or unwilling to patch a security flaw, Verichains will work with them to find effective workarounds and will not keep any acquired vulnerabilities confidential. A summary of the communication with the vendor regarding the issue will be published to maintain transparency into the process. Verichains will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw.
The security advisories will be formally and publicly released on Verichains' website, and only advisories listed on the website should be considered official. By following this policy, Verichains aims to help vendors understand their responsibility to their customers and ensure that the defensive community can protect users.