Vulnerability Disclosure Policy

Last revised on January 19th, 2024

Our vulnerability disclosure policy has two goals:

1. To ensure vendors are given a reasonable amount of time to address reported issues.
2. To provide the security community and affected users with honest, useful, and actionable vulnerability details.

We believe we can achieve these goals by practicing coordinated disclosure. Our implementation of the coordinated disclosure process follows:

1. VulnCheck will contact the affected vendor with vulnerability details and provide a 120 day deadline to fix the issues or publish an advisory.
2. VulnCheck may provide customers with vulnerability details so they can take defensive measures while an official patch is being developed.
3. VulnCheck will remain in regular contact with the vendor to coordinate a date to publish coordinated advisories.
4. On the same day the vendor publishes a patch or an advisory, VulnCheck will publish a third-party vulnerability advisory.
5. If the 120 day deadline passes without a vendor patch or advisory, VulnCheck will publish an uncoordinated third-party vulnerability advisory.

There are some minor caveats to our process:

1. No deadline extensions will be given.
2. VulnCheck will treat any published patch as a public disclosure.
3. Communication will occur exclusively over email.
4. VulnCheck will not participate in vulnerability disclosure programs that prohibit public disclosure or in any way attempt to control VulnCheck's work.

VulnCheck reserves the right to deviate from, or change, the outlined process as needed.