What is a Disclosure Policy?
A disclosure policy is an explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include:
Researchers may only share vulnerability details with third parties after the vulnerability has been fixed and the Program has provided permission to disclose OR 90 days after submission, whichever comes first.
Researchers may only share vulnerability details with third parties after requesting and receiving explicit permission from the Program.
Researchers are not permitted to share vulnerability details (and the existence of the program itself if private) with third parties.