Digital Echidna and Spentera works together in research of vulnerability discovery. Therefore, we use the same policy as Spentera.

Spentera and Digital Echidna involve in finding vulnerability in information systems, applications, and/or network either intentionally or unintentionally. Based on these reasons, we set the general terms to be followed by application developer when vulnerability found in their application.

Initially, we will endeavor to contact the application developer and ask if developers are willing to follow our vulnerability disclosure policy.

If the application developers do not respond within 5 days, we will forward the security issue to CERT (Computer Emergency Readiness Team) or CSIRT (Computer Security Incident Response Team) where the application developer to be (US-CERT for United States, JP-CERT for Japanese, MyCERT for Malaysia, etc). List of CERT and CSIRT from all over the world can be found here.

If the application developers agree and respond our effort, the process will continue until both parties agree to disclose the issue to the public. If the developers do not agree to the term of our vulnerability disclosure policy, we will forward the issue to the CERT/CSIRT where the application developers are within 15 days.

If the issue accepted by responsible CERT/CSIRT, our coordinated security vulnerability disclosure policy will change to responsible CERT/CSIRT. This means, we will use and work with CERT/CSIRT vulnerability disclosure policy to disclose the issue.