Policy
All vulnerabilities are disclosed following a 90-day coordinated disclosure timeline. This provides vendors adequate time to develop and deploy patches while ensuring timely public awareness.
Timeline
| Day | Action |
|---|---|
| 0 | Initial report to vendor security team |
| 7 | Follow-up if no acknowledgment received |
| 14 | Escalation to CERT/CC if vendor unresponsive |
| 90 | Public disclosure deadline |
Coordination
For vulnerabilities affecting multiple vendors or critical infrastructure:
CERT/CC — Primary coordination partner for multi-vendor vulnerabilities. Cases are tracked through VINCE with assigned VU# identifiers.
CISA — Federal system vulnerabilities affecting government infrastructure.
Vendor Security Teams — Direct coordination for single-vendor issues with established security response programs.
Exceptions
Early Disclosure — Timeline may be shortened if evidence of active exploitation is discovered, or if the vendor is unresponsive after multiple escalation attempts.
Extended Disclosure — Extensions are granted only when the vendor demonstrates documented remediation progress and provides a specific patch timeline.
Scope
This policy applies to all vulnerability research published on this site. Findings are reported to vendors before any public disclosure, and coordination partners are kept informed throughout the process.