At Y-Security we report security vulnerabilities that we have identified in our research and in client projects to the vendors of the software in which the flaw has been identified. We see that as an act of making the internet safer and to support our clients in getting a long-term fix across their whole estate.
Our disclosure policy is responsible – we will always provide time to fix vulnerabilities, work with the vendor where possible and ensure the mitigation in place is sufficient. With our policy we align to Google’s vulnerability disclosure policy with the following terms:
- 90-day disclosure deadline, or sooner if the vendor releases a fix
- Disclosure only on German workdays
- 7 days disclosure deadline, if we believe the issue is under active exploitation (“0-day”)
- Immediate disclosure, if parts of the issue are disclosed by the vendor prior to the deadline
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. Creating pressure towards more reasonably timed fixes will result in smaller windows of opportunity for attackers to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.
For any questions regarding our disclosure policy feel free to reach out via the usual communication channels listed on our Contact-Us page.