Security is the top priority at HEROIC as our mission is to intelligently protect the world’s information. There are over 30 billion devices and web applications connected to the cloud with little being done today to secure those resources. Beyond securing the technology of our clients and our own products, we also work hard to find and remediate vulnerabilities that affect the masses. In accordance with standards set by other reputable technology companies, and HEROIC.com’s mission, we have adopted the following vulnerability disclosure policies:
- Weekends and holidays – If a deadline is due to expire on a weekend or a public holiday, the deadline will be moved to the next normal work day.
- Grace period – We have a 7-day grace period. If a 7-day deadline will expire but a vendor lets us know before the deadline that breach remediation is scheduled for release on a specific day within 3 days following the deadline, the public disclosure will be delayed until the breach has been remediated.
- Solutions – We will use our resources as much as possible to work with companies to help them provide fixes and notify users in a reasonable time.
- Weekends and holidays – If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Grace period – We have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
- Solutions – We will use our resources as much as possible to work with companies to help them provide fixes to users in a reasonable time.
- Assignment of CVEs – CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances and we are committed to treating all vendors equally. We also expect to be held to the same standard when we find vulnerabilities in our own software.
Depending on the severity of the data breach or software vulnerability, we reserve the right to publicize the information as a method to properly notify those affected or bring attention to general vulnerabilities.
Our objective is to help reduce the number of people harmed by targeted attacks and we believe these policies are in line with our mission of intelligently securing the world’s information.
We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.