Disclosure policy
We follow coordinated vulnerability disclosure practices to protect users while enabling vendors to remediate issues responsibly.
Intake channels
We accept reports via email and encrypted channels. If you need a secure intake workflow, request it and we will provide it.
Response expectations
We aim to respond quickly and keep reporters informed during triage and coordination.
- 01Acknowledgement within 3 business days when possible.
- 02Triage updates as severity and impact are confirmed.
- 03Coordination with affected vendors and stakeholders.
Remediation timelines
We typically target a coordinated remediation window around 90 days, with flexibility based on severity, exploitability, and operational constraints.
Publication criteria
We publish findings only when fixes are available or when a mutually agreed timeline is reached.
Fix availability
Advisories are published once patches or mitigations are released.
Mutual agreement
Timing is coordinated with affected parties to reduce risk to users.
User safety
Details are scoped to avoid enabling exploitation prior to remediation.