Disclosure Policies
LAST UPDATED: February 15th, 2024
Security is the top priority at HEROIC as our mission is to intelligently protect the world’s information. There are over 30 billion devices and web applications connected to the cloud with little being done today to secure those resources. Beyond securing the technology of our clients and our own products, we also work hard to find and remediate vulnerabilities that affect the masses. In accordance with standards set by other reputable technology companies, and HEROIC.com’s mission, we have adopted the following vulnerability disclosure policies:
HEROIC adheres to a 7-day disclosure deadline. We notify vendors immediately after details have been verified, with the details shared publicly after 7 days, or sooner if the vendor releases a fix.
Weekends and holidays – If a deadline is due to expire on a weekend or a public holiday, the deadline will be moved to the next normal work day.
Grace period – We have a 7-day grace period. If a 7-day deadline will expire but a vendor lets us know before the deadline that breach remediation is scheduled for release on a specific day within 3 days following the deadline, the public disclosure will be delayed until the breach has been remediated.
Solutions – We will use our resources as much as possible to work with companies to help them provide fixes and notify users in a reasonable time.
HEROIC adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared publicly with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a deadline timeline standardized by many of the largest technology companies in the world and feel it’s reasonably calibrated for the current state of the industry.
Weekends and holidays – If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
Grace period – We have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.
Solutions – We will use our resources as much as possible to work with companies to help them provide fixes to users in a reasonable time.
Assignment of CVEs – CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
We reserve the right to bring deadlines forwards or backwards based on extreme circumstances and we are committed to treating all vendors equally. We also expect to be held to the same standard when we find vulnerabilities in our own software.
Depending on the severity of the data breach or software vulnerability, we reserve the right to publicize the information as a method to properly notify those affected or bring attention to general vulnerabilities.
Our objective is to help reduce the number of people harmed by targeted attacks and we believe these policies are in line with our mission of intelligently securing the world’s information.
HEROIC is hiring! We know that most security researchers do what they do because they love what they do. Please take a look at our open positions at https://careers.heroic.com. In addition to open positions, we are involving the wider community through reward initiatives, guest blog posts and more.
We’re hiring the best practically-minded security researchers and contributing 100% of their time toward improving security across the Internet.