Disclosure Policy

72 hours. Then MITRE.

Our disclosure timeline reflects what vendors have earned through their behavior, not what the industry assumes they deserve.

72h
Notification

Vendor Notification Window

When we identify a vulnerability, we notify the vendor 72 hours before filing with MITRE. This is not a negotiation period. This is notification that a public record is about to be created.

The 72-hour window exists for one reason: to give the vendor an opportunity to coordinate their response with the CVE filing. It is not a courtesy period for the vendor to decide whether to acknowledge the issue. It is not an invitation to negotiate silence.

The standard industry practice is 90 days. We operated under that standard for six months. During that time, every vendor we worked with used the 90 days to do one of three things: ghost the researcher, silently patch without credit, or deny the finding until confronted with evidence. The 72-hour window is the result of documented bad faith from every vendor we engaged.
CVE
MITRE Filing

MITRE-Direct Filing

We file CVEs directly with MITRE as a CNA-independent researcher, bypassing vendor-controlled CVE Numbering Authority processes entirely.

Why. Most CVE Numbering Authorities (CNAs) are the vendors themselves. Asking a vendor that silently patched a vulnerability to assign a CVE for that vulnerability is asking them to create a public record of their own concealment. They have no incentive to do so. Our evidence shows they do not.

Filing directly with MITRE creates a public record that the vendor cannot suppress, delay, or misclassify. The CVE exists regardless of the vendor’s cooperation.

++
Extensions

Extended Timelines

Vendors who demonstrate good-faith disclosure practices earn longer notification windows. Good faith means: acknowledging the report, providing a timeline for remediation, and issuing a public advisory when the fix ships.

Vendors who have demonstrated concealment do not receive extended timelines. Concealment means: ghosting the researcher, silently patching without credit, denying the finding until confronted with evidence, or using the notification window to prepare a narrative rather than a fix.

We document vendor response behavior for every engagement. That documentation is available to regulators and enforcement bodies on request.

0d
Exceptions

Active Exploitation

If we have evidence that a vulnerability is being actively exploited in the wild, we file with MITRE immediately and notify the vendor simultaneously. There is no 72-hour window when users are actively at risk.

If a vendor has already silently patched the vulnerability but not disclosed it, we treat this as a documentation matter rather than an active threat. The CVE filing creates the public record that the vendor’s silent patch did not. Downstream users who have not received the patch are notified directly when we have contact information.

Questions

Responsible disclosure is a two-way street.

Researchers disclose responsibly. Vendors should remediate and disclose responsibly in return. When they do not, the timeline reflects that.

Contact UsOur Methodology