All the different tests previously mentioned can be combined into larger red team assignments where specific goals and targets are set. The Toreon assessment team will then perform everything it takes to reach these goals/targets (within legal boundaries).
Coordinated Vulnerability Disclosure
Toreon strongly believes in Coordinated Vulnerability Disclosure.
During our work in information security we may discover previously unknown vulnerabilities in products (so called 0-day vulnerabilities) that pose potential security risks to our clients and to the public community. Should we discover such a 0-day vulnerability, we will privately disclose the vulnerability to the corresponding vendor and work with them in order to patch/solve the vulnerability. We believe that this coordinated vulnerability disclosure strikes a balance between addressing the public risk and the process necessary to release a high quality patch for the vulnerability.
If the vendor has not reacted within 1 month after the discovery and internal disclosure of the vulnerability, we consider them to be unresponsive and will proceed with a public disclosure of this vulnerability. Should this vendor have not provided a patch/solution for the discovered vulnerability within a reasonable timeframe after discovery (3 months), we will as well publically disclose this vulnerability.
If the vendor can sufficiently motivate any reasons of not disclosing the vulnerability information to the public we will not disclose the vulnerability. However, if this vulnerability is being actively exploited in the wild, we will cooperate with the vendor for an urgent/immediate coordinated disclosure.
Any disclosed vulnerability information will also be shared with other parties, such as CERT organisations, MITRE (for CVE), Bug Bounties, etc. so that they can act upon this as well. Proof of concept code that has been created to exploit critical vulnerabilities will not be released before 3 weeks after the public disclosure of the vulnerability to give companies the necessary time to protect themselves. Other proof of concept code will be released together with the disclosure of the vulnerability.