Preferred Disclosure Timeline
In adherence to responsible disclosure practices, I have established a preferred timeline for vulnerability disclosure. This timeline, commonly referred to as the “90/30 Policy,” allows vendors a reasonable timeframe to address identified vulnerabilities while ensuring transparency and timely protection for users. According to this policy, once a vendor has been notified of a vulnerability, they are granted a period of 90 days to develop and release a patch to their users. Following the successful patching of the vulnerability, I will wait for an additional 30 days before publicly disclosing the specific details of the vulnerability. This approach aims to foster collaboration and prioritize the security of all stakeholders involved.
Exhaustive Contact Efforts
In the event that contact attempts with the vendor have been unsuccessful despite our diligent efforts, I recognize the importance of ensuring users’ security and maintaining transparency. To address this situation, I have established a supplementary policy known as the “45-Day Policy.” Under this policy, after 45 days of exhaustive contact attempts, I may find it necessary to initiate a limited public disclosure of the vulnerability. This disclosure will include a comprehensive timeline outlining our efforts to establish communication. It is important to reiterate that the primary objective remains facilitating constructive discussions with the vendor to resolve the vulnerability rather than proceeding with public disclosure without any response.
Flexibility and Collaboration
I understand that circumstances may arise where vendors require additional time to address the identified vulnerability or where certain issues need to be discussed in greater detail. In such cases, I strongly encourage vendors to contact me promptly to initiate dialogue. I am committed to maintaining an open line of communication and flexibility to accommodate reasonable requests. If granting an extension to the 90-day timeline ensures the security and well-being of end-users, I am more than willing to consider such arrangements. My ultimate aim is to foster a collaborative environment that promotes effective vulnerability mitigation and protects the interests of all parties involved.
