Vulnerability Disclosure Policy

This document outlines the official Vulnerability Disclosure Policy for Malicious Erection LLC.

TL;DR AS LONG AS VENDORS AREN’T DICKS, WE WON’T BE DICKS EITHER

ALSO THIS POLICY DOESN’T APPLY TO XIAOMI. WE WILL ALSO BE DICKS TO XIAOMI. FUCK XIAOMI.

Reach Out Policy

Malicious Erection LLC will endeavor to use communication channels documented by the vendor for security issues. If a security contact is provided, this will be used in the first instance, otherwise communication will be attempted by the most appropriate sources, such as:

• E-Mail to the vendor’s customer support
• Direct message (DM) via the vendor’s social media page(s)

Starting from the initial communication attempt, the vendor has 4 weeks to respond to Malicious Erection LLC. If no response is received, then Malicious Erection LLC will publicly disclose the technical details of the security issue immedietely.

Communication Policy

If communication is established, then Malicious Erection LLC will work with the vendor to securely communicate the technical details of the security issue. Once details have been disclosed, it is expected that the vendor will inform Malicious Erection LCC about the intended fix for the security issue, as well as establishing a “reasonable timeline” for the publication of patches and updates to the vendor’s customers. If a “reasonable timeline” is established, Malicious Erection LLC will agree hold off on publicly disclosing its findings.

The definition of “reasonable timeline” is up to the sole discretion of Malicious Erection LLC. This timeline will typically include:

• An estimate on when patches will be developed internally
• An estimate on when the vendor expects to publicly release the patches

The vendor is expected to keep Malicious Erection LLC updated with the progress of the timeline. As the patch release date approaches, Malicious Erection LLC may reach out to the vendor for a status on the timeline.

If the communication between Malicious Erection LLC and the vendor stops due to the vendor failing to communicate, then the security issues will be publicly disclosed immedietely. Below are some example reasons that will force Malicious Erection LLC to immedietely disclose the security issue:

• If initial communication is established, but then the vendor does not reply to any other communication for 2 weeks.
• If a timeline is established, but the vendor continuously extends the timeline and the “Extension Policy” is breached (see below).
• If a timeline is established and Malicious Erection LLC reaches out for an update, but the vendor does not respond for 2 weeks.

Disclosure Date

When the vendor establishes a date that patches are released and the vendor’s customers are notified, a coordinated “disclosure date” will be established between the vendor and Malicious Erection LLC. All technical details of the security issue will be disclosed once the “disclosure date” has been met. The technical details may include, but is not limited to, the following:

• Versions of the software/hardware that is affected by the issue
• Proof-of-Concept (PoC) that can replicate the issue, which may include instructions on how to run the PoC
• Details on how the issue was discovered and analyzed
• The vendor’s recommendation on how to mitigate the issue
• Timeline of communication events between Malicious Erection LLC and the vendor

Malicious Erection LLC prefers to have the “disclosure date” be the same date as when patches are released. However, the “disclosure date” may be extended further down the timeline due to various reasons, such as:

• The patches take significant time to reach the majority of the vendor’s customers
• Disclosing the technical details too soon may result in public harm or cause new damage

Two weeks prior to the “disclosure date”, Malicious Erection LLC may reach out to the vendor to confirm that both parties are on track to meet the agreed upon date. If no response is received from the vendor, and the “disclosure date” is met, then Malicious Erection LLC will publicly disclose the technical details immedietely on said date.

Extension Policy

It is understood that creating patches can have unintended concequences. Therefore, the vendor is encouraged to postpone the “disclosure date” due to “reasonable reasons”, such as:

• The reported issue affects more software/hardware than initially found
• The patch breaks another piece of critical software/hardware

It is up to the sole discretion of Malicious Erection LLC of what a “reasonable reason” is. If Malicious Erection LLC has reason to believe that the vendor is postponing the disclosure date for iniquitous reasons, then the technical details of the security issue will be publicly disclosed immedietely.