Vulnerability Disclosure Policy
Our vulnerability disclosure policy aims to achieve 2 things. Ensure vendors are given a reasonable amount of time to address reported issues and to provide affected users with actionable vulnerability information.
When Project Black discovers a security vulnerability that affects third party software, we will aim to coordinate responsible disclosure using the points below:
- We will attempt to initiate contact with the vendor responsible for the affected product.
- This may involve looking for security contacts in security.txt or in privacy policies or by reaching out directly via publicly listed communication channels.
- If no response is received, Project Black will persist with alternative contact methods over a period of up to 30 days. If these efforts are unsuccessful, we may choose to publicly disclose the vulnerability as protective action for affected users.
- If contact is made, vendors will be granted up to 90 days from the date of disclosure to address the vulnerability through a patch or provide effective mitigation guidance.
- The exact timeframe will depend on the severity and potential impact of the vulnerability.
- If the vulnerability is found to be actively exploited in the wild, Project Black may reduce the response timeline significantly in order to protect affected users.
- If a public fix is released at any point before the end of the 90 day window, Project Black will proceed with public disclosure immediately.
- In cases where the vendor becomes unresponsive or continues to delay action without justification, Project Black may choose to publicly disclose the vulnerability in the interest of user safety.