Introduction

At McAiden, our commitment to cybersecurity leads us to engage in rigorous vulnerability research and security assessments. In the course of these activities, we might identify security vulnerabilities within both proprietary and open-source software products. Recognizing the critical importance of these findings, we aim to responsibly share relevant information with the affected product vendors, our clientele, and the broader cybersecurity community. Our primary objective is to mitigate the risks associated with the disclosure of such vulnerabilities, ensuring that they are addressed in a manner that minimally impacts the involved parties. This Responsible Disclosure Policy outlines the essential procedures and timelines that are to be adhered to for the effective resolution of identified security concerns prior to any public dissemination of information.

90-day Disclosure Deadline Policy

In alignment with industry best practices, notably adopted by leading entities such as Google, McAiden enforces a 90-day disclosure timeline. This policy stipulates that upon notification of a security vulnerability by McAiden, vendors are granted a period of 90 days to develop and deploy a remedial patch for their users. Subsequent to the availability of the patch, McAiden reserves the right to publicly disclose the details of the vulnerability.

For instance, should a vendor address a reported security flaw on the 47th day following our notification, McAiden would proceed to publicly share the vulnerability specifics no earlier than the 48th day. Conversely, in scenarios where a vendor fails to remediate the identified issue within the stipulated 90-day window, McAiden will proceed with a public disclosure upon the lapse of this period.

In-the-wild vulnerabilities

Our policy adapts in situations where there is concrete evidence to suggest that a vulnerability is actively being exploited against users in real-world scenarios. In such cases, the standard 90-day disclosure framework is substituted with an expedited 7-day disclosure protocol to promptly address the imminent threat posed by the exploitation of the vulnerability.

Mutually Agreed Early Disclosure

McAiden acknowledges that certain circumstances may warrant an earlier disclosure of vulnerability details than what is outlined in our standard policies. In such cases, McAiden is open to reaching a mutual agreement with the concerned vendor to advance the disclosure timeline. This approach is contingent on a collaborative discussion between McAiden and the vendor, ensuring that any early disclosure is executed with due consideration for the potential implications.

Mutual Agreement Exception

At any point, if the vendor is actively working on a fix but requires more time, McAiden and the vendor can mutually agree to extend the disclosure deadline. Such an extension would be based on transparent communication about the efforts being made to address the issue and a reasonable timeline for the fix. Typically, extension periods might range from an additional 30 to 60 days, but they can be shorter or longer based on the specific circumstances and the negotiations between McAiden and the vendor.