Encripto AS is strongly involved in secure software development, and we do research to discover trends, new vulnerabilities and better ways to reduce them. We want to be good Internet citizens and help the software industry, whether you are a vendor or a user.
All potential vulnerabilities found by Encripto AS will therefore follow a procedure for responsible disclosure. This applies regardless of whether the vulnerability is found in active research or by chance. Our goal is to balance the public need to be informed about the security issues and the vendor’s need to react effectively.
This gives vendors the opportunity to protect their users and fix security problems as quickly as possible, before malicious users exploit them. At the same time, users are aware of what risks they are exposed to, and they will get a chance to protect themselves.
Disclosure of vulnerabilities related to non-customers
Encripto AS will never disclose vulnerabilities from a project associated with a customer, since we are bound by confidentiality agreements in such situations.
Potential vulnerabilities, which do not belong to a customer project, will be responsible disclosed. Encripto AS will notify the vendor (or the owner of the potential vulnerable code), and then wait up to 60 days before we make the details of the potential vulnerability available to the public.
The period will give the vendor (or the owner of the potential vulnerable code) enough time to implement a patch or fix the problem, and ensure that the vendor takes such potential vulnerabilities seriously. The time frame could be extended in cases where the vendor and Encripto AS decide to coordinate the disclosure of the issues and the software fix.
Open Source Software
Encripto AS will also follow the procedure for responsible disclosure if we discover a potential vulnerability in open source projects. The development team or maintainer of the project will be notified and we will wait up to 90 days before we make the details public.
This should be enough time to implement a fix for the potential vulnerability. The time frame could be extended in cases where the open source project and Encripto AS decide to coordinate the disclosure of the issues and the software fix.
Research – Aalesund University College
Encripto cooperates with Process Innovation Lab (PIL). PIL is an interdisciplinary research group at Aalesund University College. The research areas are Holistic Enterprise Transformation Orchestration, Information and Communication Technology, Risk Management, Applied Modelling, Lean and other tools, techniques, principles and practices to support process change.