CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Request a Demo
Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP
LEGAL DOCUMENTS

Trustwave SpiderLabs Vulnerability Disclosure Policy

Spending each day immersed in penetration tests and research into the latest threats, our SpiderLabs® experts occasionally discover new vulnerabilities as a part of their work. When that happens, we follow our established disclosure policy. Learn more about our disclosure policy below.

Policy Definitions

  • The vendor is the individual, group, or company that maintains the software, hardware, or resources that are related to the vulnerability.
  • The date of contact is the point in time when Trustwave SpiderLabs initially contacts the vendor about the vulnerability.
  • All dates, times, and time zones are relative to location of Trustwave headquarters (Chicago, IL).
  • All day counts are calendar.

The goals of this disclosure policy are education and risk reduction

  • Education of the vendor about the vulnerability and risk reduction through vendor patch or workaround development.
  • Education of Trustwave SpiderLabs on how the vendor intends to fix the vulnerability and risk reduction through developing protections in Trustwave products and services.
  • Education of the information security community and the public at large about the vulnerability and risk reduction through spreading awareness of a vendor patch / workaround as well as protections and security controls that can prevent exploitation of the vulnerability.

Policy

  1. The vendor will be given 14 days from the date of contact for an initial response. Should no contact occur by the end of 14 days, Trustwave SpiderLabs will evaluate the risk to our clients and may decide to disclose the vulnerability to its clients, at a minimum.
  2. Trustwave SpiderLabs will provide a best effort to honor requests from the vendor for additional information or help in reproducing the vulnerability. This will include providing configuration details and the scenario in which the vulnerability was discovered.
  3. The vendor is responsible for providing regular status updates (regarding the resolution of the vulnerability). If the vendor discontinues communication at any stage of the process for more than 30 days after date of contact, Trustwave SpiderLabs will view the vendor as non-responsive and will consider public disclosure.
  4. The vendor is encouraged to provide proper credit to Trustwave and to the researcher responsible for discovering the vulnerability. Suggested (minimal) credit would be: "Credit to [researcher name]  from the SpiderLabs team at Trustwave for disclosing the vulnerability to [vendor name] ."
  5. The vendor is encouraged to coordinate a joint public release/disclosure with Trustwave SpiderLabs so that advisories of the vulnerability and resolution can be made available together.
  6. The vendor will be given a maximum of 90 days after date of contact to release a patch. After 90 days Trustwave SpiderLabs will consider public disclosure.
  7. If a third party publicly discloses the vulnerability during this process, disclosure will be considered to be public and Trustwave SpiderLabs will work with the vendor for immediate disclosure.
  8. If the vulnerability is being actively exploited in the wild Trustwave SpiderLabs will work with vendor on an escalated disclosure timeline potentially less than seven days after date of contact if exploitation is experienced on a wide and public scale.
  9. Proof of concept code or technical explanation of exploitation of a vulnerability that is rated critical may be withheld for up to 14 days after public disclosure to allow time for organizations to protect themselves.