Vulnerability Disclosure Policy

I believe that security vulnerabilities should be reported to vendors before public disclosure. To that end, I've developed this brief Vulnerability Disclosure Policy (VDP) to outline my approach to coordinated disclosure.

After I discover a vulnerability:

  1. I will attempt to notify the vendor. In parallel, I may privately notify a limited set of affected users (e.g. if the software is utilised by organisations operating bug bounty programs; rewards from these programs fund my research).
  2. I will immediately initiate a 45-day countdown. Within this window, I expect the vendor to confirm the vulnerability, develop and release a patch, and publish a security advisory.
  3. If the vendor successfully patches the vulnerability within the 45-day timeline, I will publicly disclose the vulnerability 14 days after the patch is released. This gap is intended to provide users adequate time to apply the patch.
  4. If the vendor doesn't resolve the vulnerability within the 45-day period, I will proceed with public disclosure immediately following the 45-day window.

Extensions to the 45-day window

I understand that occasionally a vendor may need more time to develop and release a reliable fix. In such cases, I expect that the vendor will notify me as early as possible, providing a proposed alternative disclosure date and a clear justification for the extension request.

Not all requests for extension will be granted. While I am willing to defer publication when there is a legitimate technical rationale, I will not postpone publication for reasons that I consider unreasonable or inappropriate, including those primarily related to the vendor's commercial interests.

Conflicts with vendor VDPs

I recognise that some vendors maintain their own vulnerability disclosure policies. While I welcome these frameworks, they may conflict with my own policy. Unless I explicitly notify you otherwise, disclosure will proceed under this policy, not the vendor's.

My disclosures are not advisories

Vendors should be aware that my disclosures are not security advisories. I publish technical write-ups, which are often complete with proof-of-concept exploit code. I expect that the vendor will publish and announce their own security advisory before my publication, which I will typically reference.

Non-public advisories and disclosure timing

I will consider a patch to be released the moment it is obtainable via any official channel, regardless of how widely it is announced. I discourage silent or customer-only advisories because they leave non-customers in the dark and at greater risk. Absent a mutually agreed extension, the intentional restricted or phased distribution of an advisory will not delay my disclosure.

Deviations

I reserve the right to depart from this policy and disclose in a matter that I deem appropriate and responsible. For example, if the vulnerability is being actively exploited, or a proof-of-concept exploit is readily available to the public.

VDPs are not bound by legislation, and I act in accordance with my professional judgement and ethical standards.