Vulnerability Disclosure Policy
HEROIC adheres to a 90-day disclosure deadline.
- Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Grace period. We have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
- Solutions. We will use our resources as much as possible to work with companies to help them provide fixes to users in a reasonable time.
- Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
We reserve the right to bring deadlines forward or backward based on extreme circumstances and we are committed to treating all vendors equally. We also expect to be held to the same standard when we find vulnerabilities in our own software. Our objective is to help reduce the number of people harmed by targeted attacks and we believe these policies are in line with our mission of intelligently securing the world’s information.