The Vantage Point Responsible Disclosure Policy

When it comes to reporting zero day vulnerabilities to vendors there’s no standard that everyone agrees on.

One goal when defining a responsible disclosure policy was to facilitate a timely reaction from vendors, so our deadlines are relatively tight: Vendors get up to 60 days total to reproduce, confirm and fix the reported issues. We are of course aware that this can be too short in some cases, and we’ll push the advisory release date back for as long as needed provided that the vendor is working on a fix and keeps us updated.

In cases where the vendor is nor responsive, or consistently fails to fix the reported issues, we may decide to release a public advisory even though an official patch is unavailable (usually including workarounds that fix the issues another way).

Download the full policy document here:

Vantage Point Responsible Disclosure Policy v1.1