What is a Disclosure Policy?

A disclosure policy is an explicit policy outlining the conditions under which the existence and/or details of a reported issue may be disclosed to third parties. Examples include:

Coordinated disclosure
Researchers may only share vulnerability details with third parties after the vulnerability has been fixed and the Program has provided permission to disclose OR 90 days after submission, whichever comes first.
Discretionary disclosure
Researchers may only share vulnerability details with third parties after requesting and receiving explicit permission from the Program.
Non-disclosure
Researchers are not permitted to share vulnerability details (and the existence of the program itself if private) with third parties.
By default, new programs are set to coordinated disclosure; however, you can contact us if you'd like your disclosure policy changed or customized.

Still need help? Contact Us Contact Us