Let’s work together to ensure responsible, coordinated disclosure.
Your efforts as a vendor are key to making our digital spaces safer. I believe that by working together, we can promote responsible and coordinated disclosure to make your products safer for your users.
My 90+30/45 Policy
I adhere to a 90+30 disclosure deadline policy. Once I notify a vendor of a security vulnerability, I provide a generous 90-day window for them to develop a patch for users. If they succeed within this timeframe, I’ll disclose the vulnerability details public 30 days after the patch is made available. However, if after 45 days of exhaustive efforts to contact the vendor, I receive no reply, I’ll proceed with public disclosure.
Flexibility
Recognizing that unforeseen challenges may arise, I understand that sometimes a bit more time is needed. If a vendor requires extra time to finalize a patch, just let me know. I’m a firm believer in cooperation, and flexibility is the key. If we’re on the same page, we can mutually agree to release vulnerability details later than initially outlined. It’s all about finding that right balance and working together seamlessly.
Private Disclosure and Discussion
I appreciate that certain situations call for a more discreet approach. If private disclosure is necessary, I am open to sorting things out and discussing the conditions. Your expertise is invaluable, and my aim is to ensure the disclosure process is beneficial for everyone involved. Feel free to reach out, and let’s initiate a conversation.
Your dedication to responsible disclosure is truly valued, and I’m here to support you in making a positive impact on the security landscape. Let’s maintain an open and collaborative dialogue.
Looking forward to contributing valuably!