Advisories
From time to time our consultants discover new vulnerabilities in software. Sometimes these discoveries result from internal research projects and sometimes they are discovered during the course of security engagements for clients.
When vulnerabilities are discovered IRM follows an industry standard responsible disclosure policy. This involves contacting the software vendor, allowing them time to develop a patch to mitigate the vulnerability and then releasing the vulnerability details and patch information through the normal IT security channels.
During communication with the vendor, but before a detailed security advisory is released, a 'Vendor Alert' is published. This provides a high level description of the vulnerability class (without any details that may assist an attacker), any vendor reference that has been provided and the current status of the patch release.
IRM believes that responsible disclosure of software vulnerabilities is the best way of ensuring the future security of both its clients and the Internet community in general.
