Vulnerability Disclosure Policy
LAST UPDATED: April 23, 2024
Security is the top priority at HEROIC as our mission is to intelligently protect the world’s information. By 2020 there will be over 50 billion devices and web applications connected to the cloud, with HEROIC leading the charge to secure those resources. Beyond securing the technology of our clients and our own products we also work hard to find and remediate vulnerabilities that affect the masses. In accordance with our mission we have adopted the following vulnerability disclosure policies in the products and services that we work with.
HEROIC adheres to a 90-day disclosure deadline.
We notify vendors of vulnerabilities immediately, with details shared publicly with the defensive community after 90 days, or sooner if the vendor releases a fix. We’ve chosen a deadline timeline standardized by many of the largest technology companies in the world and feel it’s reasonably calibrated for the current state of the industry.
- Weekends and holidays. If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Grace period. We have a 14-day grace period. If a 90-day deadline will expire but a vendor lets us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch. Public disclosure of an unpatched issue now only occurs if a deadline will be significantly missed (2 weeks+).
- Solutions. We will use our resources as much as possible to work with companies to help them provide fixes to users in a reasonable time.
- Assignment of CVEs. CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we’ll ensure that a CVE has been pre-assigned.
We reserve the right to bring deadlines forward or backward based on extreme circumstances and we are committed to treating all vendors equally. We also expect to be held to the same standard when we find vulnerabilities in our own software. Our objective is to help reduce the number of people harmed by targeted attacks and we believe these policies are in line with our mission of intelligently securing the world’s information.