Check Point Research Coordinated Disclosure Procedure

As part of the activities performed by Check Point Research (CPR), we occasionally obtain information regarding security vulnerabilities in third party products/software.
In such cases, our main concern is to report these vulnerabilities to the affected parties and assist in the creation of a fix.
We also believe it is our professional and social responsibility to share these security vulnerabilities with the public to raise awareness, and to assist developers, vendors, and members of the security community to defend against this threat and/or to provide effective mitigations.
Check Point Research will perform any necessary actions to provide the affected vendors/software with the necessary information required to effectively address this issue within a reasonable timeframe prior to public disclosure.

This policy outlines the actions and procedures followed by Check Point Research to responsibly disclose these vulnerabilities:

[+] Check Point Research will responsibly and promptly disclose all relevant information obtained regarding a security vulnerability to the party/ies responsible for the development of the software(s) and/or service(s) and/or product(s).

[+] Attempted contacts will be via any reasonable means possible and may include:

  • Any appropriate contacts or formal mechanisms listed on the official Web site of the affected party/ies.
  • Sending an email to ‘security@’, ‘info@’, ‘support@’, ‘secure@’ under the affected parties’ official domain.
  • A direct telephone call to an official representative using any available public/private contacts.
  • Using any intermediate contacts at our disposal.

[+] After Check Point Research exhausts all reasonable means of contact and the affected party fails to acknowledge our efforts, Check Point Research may publicly disclose this issue within 2 weeks (14 days) after the initial contact.

[+] If the affected party’s response is received within the timeframe outlined above, Check Point Research will allow 3 months (90 days) from the initial contact attempt to address this vulnerability with a security patch or other corrective measures as deemed appropriate. In extreme cases, following a reasonable statement from the affected party, Check Point Research may allow an additional 30 days extension at our discretion.
No further deadline extensions will be given under any circumstances.

[+] In cases where the reported vulnerability is confirmed to be actively used in-the-wild, due to the urgency and risk posed by the active usage of this vulnerability, Check Point Research will allow 48 hours (2 days) after the initial contact for the affected party to address this issue.

[+] A public disclosure will be released under these circumstances:

  • Following an official confirmation from the affected party stating the issue was fixed.
  • After the above deadline expires, if a vendor does not respond or is unable to provide a reasonable statement as to why this vulnerability was not fixed.
  • If the affected party is unable to, or chooses not to, fix the particular security vulnerability.

[+] Any public disclosure made by Check Point Research will not include any working exploits. The public disclosure will be redacted according to our discretion so as to prevent any easily achievable misuse of this issue by malicious entities, while still supporting our original goal of raising public awareness about this vulnerability.

The above procedure does not limit or prevent Check Point from releasing the information into our product lines (such as signatures), at any point from the initial date of discovery, in order to protect our customers.
Upon public disclosure, Check Point Research will provide the summary of the disclosure timeline and communications with the affected parties.

Check Point Research will formally and publicly release security disclosures on our official CPR-Zero web site. Only entries listed on the web site should be considered official Check Point Research disclosures.