P14. Addressing security vulnerabilities

The company should address security vulnerabilities when they are discovered.

Elements
  1. Does the company clearly disclose that it has a mechanism through which security researchers can submit vulnerabilities they discover?
  2. Does the company clearly disclose the timeframe in which it will review reports of vulnerabilities?
  3. Does the company commit not to pursue legal action against researchers who report vulnerabilities within the terms of the company’s reporting mechanism?
  4. (For mobile ecosystems) Does the company clearly disclose that software updates, security patches, add-ons, or extensions are downloaded over an encrypted channel?
  5. (For mobile ecosystems and telecommunications companies) Does the company clearly disclose what, if any, modifications it has made to a mobile operating system?
  6. (For mobile ecosystems and telecommunications companies) Does the company clearly disclose what, if any, effect such modifications have on the company’s ability to send security updates to users?
  7. (For mobile ecosystems) Does the company clearly disclose the date through which it will continue to provide security updates for the device/OS?
  8. (For mobile ecosystems) Does the company commit to provide security updates for the operating system and other critical software for a minimum of five years after release?
  9. (For mobile ecosystems and telecommunications companies) If the company uses an operating system adapted from an existing system, does the company commit to provide security patches within one month of a vulnerability being announced to the public?
Research guidance

Computer code is not perfect. When companies learn of vulnerabilities that could put users and their information at risk, they should take action to mitigate those concerns. This includes ensuring that people are able to share any vulnerabilities they discover with the company. We believe it is especially important for companies to provide clear disclosure to users about the manner and time period in which users will receive security updates. In addition, since telecommunications providers can alter open-source mobile operating systems, we expect these companies to disclose information that may affect a user’s ability to access these critical updates.

Potential Sources:

  • Company privacy policies
  • Company security guide
  • Company “help” forums