It’s been a half decade since we last updated our disclosure policy and it’s time for us to iterate on our policy again. As we detailed in our previous post, while there is inherit value to our subscription customers to maximize our 0-day shelf life… empirically, we can state that such vulnerabilities can go unpatched for inordinately long times and it is in the best interest of the community at large to keep vendors informed. As of the time of this writing we have adopted the following simple disclosure policy.
Vulnerability information will be reported to the affected vendor six months after release to our subscribers.
Six months after this disclosure, or once the vendor has released a patch, whichever happens first; we reserve the right to publish details about the vulnerability.
This policy applies to both internally generated research as well as any research acquired through our Research Sponsorship Program (RSP), an effort we maintain to crowd source both 0-day and n-day research from individual contributors around the globe.
If you’re interested in learning more about our our subscriptions, we welcome you to reach out to us at [email protected].
Support the originator by clicking the read the rest link below.
