We will always work privately with vendors or software authors where possible in order that time can be spent resolving a security problem before its publication. However, we do also believe that publishing information about security vulnerabilities is a necessary and positive measure that helps to keep users safe.
Accordingly, our disclosure policy is as follows. Upon identifying a security vulnerability we will:
- Attempt to identify a means of communicating privately with the vendor or author, and to report the issue to them.
- If we are unable to identify a means to communicate with a vendor or author, we will immediately publish the vulnerability.
- If we have asked the vendor or author to contact us, or if we have reported the problem, we will wait for 14 days for the report to be acknowledged. If the report is not acknowledged after that time, we will immediately publish the vulnerability.
- If the vendor or author responds to the report cooperatively, we will work with them to agree a date by which an update will be released.
- Having agreed a date, we will schedule the vulnerability for publication on that date.
- If it is not possible to agree a date, or if the vendor does not respond cooperatively, we will publish the vulnerability at our discretion. In this situation, we will do our best to balance the needs of the vendor and the needs of vulnerable users.
- If information about the vulnerability is published by a third party, we will immediately publish the vulnerability.