Disclosure Guidelines for Vulnerabilities in 3rd Party Software
- When a security vulnerability in some 3rd party product is discovered by Zipi team members the following disclosure guideline should apply:Our priority is to get the reported vulnerability fixed. If the 3rd party acknowledges the vulnerability and is working on a patch, we will keep vulnerability details confidential until the issue is fixed. If possible, we will verify the fix before it is being published. In special cases we might release details without a fix to make the public aware. This might, for instance, be the case when a vulnerability is being actively exploited. We aim for a fix within a 90 days deadline. We will treat this as a soft deadline and help to meet the deadline when reporting. We will try to coordinate with the affected 3rd party to have a patch released before we release an advisory.