Vulnerability Disclosure Policy

Purpose

This document aims to standardize how Second Nature Security Oy (2NS) discloses security vulnerabilities in a responsible and controlled way. 2NS cooperates with vendors in order to fix the security vulnerabilities discovered by 2NS. The main goals for vulnerability disclosure are:

To help our customers to patch vulnerable systems to protect their organization.
To enhance the overall security in the industry by encouraging vendors to fix the detected vulnerabilities and deliver patches.
To release details of the vulnerability for appropriate parties so that the issues can be fixed.
To enhance public understanding of information security vulnerabilities

Vulnerabilities Affecting 2NS’ Customers

When a security vulnerability is detected within a customer’s environment or in a customer project, 2NS will honor the non-disclosure and contractual agreements established with the customer. 2NS will promptly inform the customer about the vulnerability and work together to determine the next steps. 2NS may publish vulnerability information or share it with relevant vulnerability coordinators like NCSC-FI, but only in cases where such actions are allowed by the customer.

Vulnerabilities Affecting 3rd Party Services and Products

If 2NS discovers a security vulnerability affecting a 3rd party service or product, 2NS will inform the vendor(s) directly or via a vulnerability coordinator such as NCSC-FI. When 2NS reports security issues in 3rd party services or products to the vendor or appropriate vulnerability coordinators, 2NS doesn’t disclose the customer’s identity, unless agreed upon separately with the customer.

For vulnerabilities related to 3rd parties that have the potential to affect a wider audience, 2NS follows disclosure timeframe of 90 days. Upon notifying the 3rd party about the vulnerability, 2NS will observe a 90-day waiting period before making the information regarding the vulnerability public. Publicly disclosing vulnerabilities can happen earlier if the 3rd party is able to provide a solution before the set deadline. This aspect is addressed separately in conversations with the 3rd party.

In specific cases, an extension beyond the 90-day timeframe can be agreed with the 3rd party.

If 2NS finds evidence that a previously-unknown vulnerability is under active exploitation against real users, 2NS can decide to replace the normal 90-day policy with a 7-day disclosure policy.