We will always work privately with vendors or software authors where possible in order that time can be spent resolving a security problem before its publication. However, we do also believe that publishing information about security vulnerabilities is a necessary and positive measure that helps to keep users’ data safe.
Accordingly, our disclosure policy is as follows. Upon identifying a security vulnerability we will:
- Attempt to identify a means of communicating privately with the vendor or author, and to report the issue to them.
- If we are unable to identify a means to communicate with a vendor or author, we will immediately publish the vulnerability.
- If we have asked the vendor or author to contact us, or if we have reported the problem, we will wait for 14 days for the report to be acknowledged. If the report is not acknowledged after that time, we will immediately publish the vulnerability.
- If the vendor or author responds to the report cooperatively, we will work with them to agree a date by which an update will be released. We will not normally agree to a date more than 60 days after the vulnerability was initially reported to the vendor.
- Having agreed a date, we will schedule the vulnerability for publication on that date.
- If it is not possible to agree a date, or if the vendor does not respond cooperatively, we will normally schedule the vulnerability for publication 30 days after its initial discovery.
- In cases where we feel that the vulnerability is particularly serious or severe, we may schedule the vulnerability for publication any time from 7 days after its initial discovery.
- If information about the vulnerability is published by a third party, we will immediately publish the vulnerability.