Coordinated Vulnerability Disclosure

Silent Breach supports responsible disclosure of security vulnerabilities.



image

Protecting our customers along with third party vendors.


As security researchers ourselves, we deeply understand the implications of disclosing 0-day vulnerabilities before they have been patched or deployed in the field. As part of our pledge to protect our customers or any other vendors, we strive to always disclose security issues in a responsible manner. Silent Breach is also available to assist others in that process. Please reach out here or send us an email at incident@silentbreach.com if you need help communicating with a particular vendor, would like Silent Breach to reach out on your behalf or if you wish to report a vulnerability in one of our own products.

Vulnerability disclosure guidelines

In order to protect our customers, please use the following guidelines whenever sharing a newly discovered vulnerability:

  • Please share a full vulnerability description with either Silent Breach or the vendor. This should include as many details as possible, including the OS version, software version, ports used (if applicable), and the versions of any other resources used. Please include the potential impact on users and systems.
  • If possible, please share a proof of concept including the necessary tools and environment to be used to reproduce the vulnerability.
  • Please also share any other limitations or conditions necessary for carrying out the exploit.
  • Wherever applicable, do not publicly disclose the vulnerability until the vendor has deployed a patch.
  • Please use our public GPG key to encrypt any information you wish to share.
  • Please indicate whether you wish to remain anonymous during this process.
As a standard practice for protecting our customers, Silent Breach does not confirm, discuss, nor disclose any security issues or vulnerabilities until a fix has been released on all affected systems. We also ask security researchers to observe the same code of conduct until the vendor has addressed the issue.