Give ATOSS sufficient time to develop suitable fixes
Fixing security vulnerabilities can be a long and arduous process as we work to develop a patch, ensure its compatibility with all relevant software versions, run comprehensive tests to ensure that the fixes run well and do not have any side-effects, and provide it to our customers. As a vendor of business software we provide security fixes not only for the latest version, but also for many older versions of our software products. This means that we need to develop and thoroughly test feasible patches for a broad range of product versions, which can take time.
Do not publicize vulnerabilities until ATOSS customers have had time to deploy fixes
The deployment of patches for ATOSS products is usually more complicated than a software upgrade on a consumer PC. Depending on the nature of the vulnerability, the deployment of patches or updates in some cases requires configuration or deployment tasks with regard to customer internal restriction or processes. Some of our customers follow for example regular patching cycles. Considering these circumstances, we ask all security researchers to give ATOSS customers sufficient time to implement patches in their systems. As a rule of thumb, we suggest respecting an implementation time at customer site of three months once the patch is released by ATOSS. Considering our customer interests, we ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time. Please also inform the R&D team about all your upcoming public advisories and external presentations with ATOSS product security content via email to firstname.lastname@example.org including the intended content at least 3 weeks in advance.
R&D Security Process
Download the complete ATOSS R&D security process here