Privacy, Confidentiality and Disclosure Policy

About OneStopAppSecurity.com

OneStopAppSecurity.com is a security services consultation company. It looks to provide security consultations to clients that are found via traditional marketing, public speaking, publication, word-of-mouth, and other similar techniques.

General Principles

Under all circumstances, OneStopAppSecurity.com's tries to be guided by the highest ethical, moral and legal standards possible. OneStopAppSecurity.com puts the confidentiality of its clients above all other concerns. That being said, OneStopAppSecurity.com recognizes that ignoring a serious vulnerability or prematurely publicizing a serious vulnerability are both actions that are often highly detrimental to all involved parties.

As a result of these beliefs, OneStopAppSecurity.com is a fervent believer in responsible disclosure. Whenever OneStopAppSecurity.com feels it has discovered a vulnerability that is not covered by a non-disclosure clause in a client contract and is believed to be of sufficient severity that it must be disclosed, OneStopAppSecurity.com will turn over relevant information about the vulnerability to an impartial mediator who will work with all parties involved and make the final decision about disclosure. Details of how OneStopAppSecurity.com practices responsible disclosure are in the section Details of Responsible Disclosure. The schedule for introducing an impartial mediator varies by circumstances and is explained in the following sections. It should be noted that both OneStopAppSecurity.com and an impartial mediator share the goal of finding a balance between ignoring serious security issues until an attacker exploits them and disclosing the vulnerability in a manner that is harmful to the second party or general public.

Definitions of Clients, Prospective Clients, Non-Clients, and the General Public

A client is any person, company, organization, or other similar group ("second party") with which OneStopAppSecurity.com has entered into a contract with OneStopAppSecurity.com acting as a security consultant for or on behalf of the second party. A prospective client is second party with which OneStopAppSecurity.com is discussing, negotiating or otherwise considering entering into a contract where OneStopAppSecurity.com is to act as a security consultant. It is up to the the sole discretion of OneStopAppSecurity.com to determine whether communications with a second party qualify that party as a prospective client or not. Non-clients are second parties that are neither clients nor prospective clients. The general public is everyone else; particularly users of second party applications and sites.

Confidentiality for Clients

Clients received the highest degree of confidentiality and privacy. From the time a client begins discussing signing a service contract (i.e.: becomes a prospective client) all communications, information interchanged, discussions, etc... will be considered confidential by OneStopAppSecurity.com. The are two exceptions.

When ordered by warrants, subpoenas or other applicable legal or regulatory orders for OneStopAppSecurity.com to violate confidentiality will be handled as documented in the Exceptions section below.
Any knowledge OneStopAppSecurity.com has about security issues pertaining to its clients prior to the signing of the contract are not covered by this contract confidentiality statement. In the case of prior knowledge about a security issue, OneStopAppSecurity.com will, if in OneStopAppSecurity.com's opinion the prior knowledge presents a serious threat to the general public, inform the client that it feels a civic duty to disclose the prior knowledge as described in the Details of Responsible Disclosure section. Only information that is learned prior to the second party becoming a prospective client will be disclosed. In this event, OneStopAppSecurity.com will make reasonable effort to notify the client about plans to disclose a specific security issue and attempt to arrive at a solution that minimizes harm to all parties prior to disclosing said information. From the first attempt at communication with the client, OneStopAppSecurity.com will not report it to a moderator for at least fourteen (14) days. If the client is actively working on remediating the security issue, OneStopAppSecurity.com can, at its sole discretion, delay or even omit notifying an impartial moderator. Note that contacting an impartial moderator will only be used when OneStopAppSecurity.com feels that the vulnerability puts the general public at great risk.

Coonfidentiality for Prospective Clients

Second parties do not typically stay a prospective client for long. Either they sign a service contract with OneStopAppSecurity.com and become a client or they choose not to become a client. In general, any communications with a prospective client will be treated as confidential in perpetuity. This even includes the fact that communications are ongoing or have occurred in the past. The following are some exceptions to this confidentiality:

When ordered by warrants, subpoenas or other applicable legal or regulatory orders for OneStopAppSecurity.com to violate confidentiality will be handled as documented in the Exceptions section below.
If, prior to having interacted with a second party (i.e.: before becoming a prospective client), OneStopAppSecurity.com has found a vulnerability in the second party's site and believes that it might put the general public at great risk, OneStopAppSecurity.com will notify the prospective customer of this. No sooner than seven (7) days from the time the second party decides not to hire OneStopAppSecurity.com, will any information be given to an impartial mediator as described in the section Details of Responsible Disclosure. Note that contacting an impartial moderator will only be used when OneStopAppSecurity.com feels that the vulnerability puts the general public at great risk.
If OneStopAppSecurity.com feels that the prospective client is negotiating in bad faith, OneStopAppSecurity.com will, at its sole discretion, report the vulnerability to an impartial moderator. Whenever possible, OneStopAppSecurity.com will inform the prospective client at least one (1) business day before reporting is to occur of its intentions.

Non-Clients

Some security companies dedicate significant effort looking for problems in web sites that belong to second parties with whom they have no existing relationship with. This is typically done with the goal of selling their proprietary services or software (e.g.: monitoring services, intrusion detection software or intrusion prevention software) to the second party. OneStopAppSecurity.com does not and currently has no plans to provide proprietary services or software. For this reason, OneStopAppSecurity.com does not put effort into looking for security problems in non-client's applications. That being said, security issues are frequently found by accident in non-client applications.

When OneStopAppSecurity.com finds a security issue in a non-client's application, OneStopAppSecurity.com will, as it determines is best, ignore the security issue or report it to the non-client. Along with the reporting of the security issue, OneStopAppSecurity.com may discuss entering into a service contract with the second party. If this occurs, then the non-customer will become a prospective customer and be treated as such.

At the time of reporting the security issue to the second party, OneStopAppSecurity.com will inform the second party whether OneStopAppSecurity.com feels that the security issue might be a threat to the general public or not. If OneStopAppSecurity.com determines to the best of its abilities that the issue is not a threat to the general public (e.g.: a vulnerability that affects the second party's profits but does not affect the assets or confidentiality of the general public), then OneStopAppSecurity.com will treat the issue as confidential and not report it. If OneStopAppSecurity.com determines to the best of its abilities that the general public may be at risk due to the vulnerability, it will give the non-client seven (7) days to respond to the issue report. After this time, if OneStopAppSecurity.com is still concerned about the risk to the general public, it will provide information about the security problem to an unbiased mediator and let them work with the non-client in determining how to proceed. More details of this process are in the section Details of Responsible Disclosure.

Details of Responsible Disclosure

When OneStopAppSecurity.com feels that the concerns of the general public may outweigh those of prospective clients or non-clients it will follow the US government's policies for disclosure, remediation and third-party intervention. Typically this will involve informing CERT/CC of the vulnerability and allowing them to handle the disclosure as they feel appropriate. Some links describing the process include:

CERT/CC's Remediation Policy: An overview of CERT/CC's role.
CERT/CC's Vulnerability Disclosure Policy: Details of how CERT/CC will handle vulnerabilities reported to it.
Common Vulnerabilities and Exposures (CVE): An organization that coordinates a standardized naming mechanism for vulnerabilities.\
National Vulnerability Database (NVD): The US government's National Institute of Standards and Technology (NIST) database of vulnerabilities.

Excluding any unforeseen situations, OneStopAppSecurity.com will always rely on a third-party mediator to work with the prospective client or non-client in determining the best means of dealing with the vulnerability.

Exceptions

In all cases, should OneStopAppSecurity.com be advised by legal counsel that OneStopAppSecurity.com is legally compelled by applicable laws, regulatory agencies or other governing bodies with appropriate jurisdiction, OneStopAppSecurity.com will attempt to maintain confidentiality by following any and all reasonable legal options. Should OneStopAppSecurity.com run out of what it considers reasonable legal options, it will attempt to provide only the minimal amount of violation.

Modification of Privacy Policy

OneStopAppSecurity.com reserves the right to update this policy without any advance warning. That being said, OneStopAppSecurity.com will endeavor to make as few changes to this policy as possible as well as try to ensure that any changes made are in the direction of providing greater confidentiality. Furthermore, in the event of change of this policy, OneStopAppSecurity.com will try to provide as much notification as is possible to all affected parties. Confidentiality and privacy statements that are associated with signed contracts will be upheld by the stricter of the privacy policy associated with the client contract and the newer policy.

Should any portion of this policy be invalidated due to a civil or legal action, only the specific portions that are required to be modified will change. The rest of the policy will continue to be in effect.

1. No-Risk Security Assessment
Read about our low-priced No-Risk Security Assessment — Only pay if you are satisfied.
2. Free Web App Security Quiz
We offer a free, 10 question Web Application Security Quiz covering topics in the OWASP.org's 2007 Top Ten Web Vunerabilities. Detailed explanations for every wrong answer. Take the quiz. Have your friends take it. Compare your scores with them — if you dare...

Google Chrome: A demonstration of how inadequate process can defeat any technical expertise
by Neil Smithline Google's introduction of the Chrome browser has demonstrated the negative ramifications on security that occurs from insufficient process.
Vista's Slow Adoption Raises Security Concerns
by Neil Smithline The use of Vista in the immediate future should be for non-critical systems until it sees a longer and stronger adoption to shake out the most obvious security vulnerabilities.
Web Seen as Lacking Even in Basic Security
82% of Sites Have Security Flaws, 61% Have Serious Security Flaws
Attack Dangers Posed by 'Innocent' Files
A carefully designed data file (eg: a .doc file or .gif) can leverage vulnerabilities in the programs that open them and become vectors for the spread of potentially harmful viruses.
Confidential Data: You're Giving Away Your Corporate Secrets!
"Innocuous" data can lead to a major break-in. Most sites need to radically redefine their definition of "sensitive data".

Search