Policy

Coordinated Vulnerability Disclosure

Last updated: June 4, 2026

VulnGuard Labs conducts original security research with the goal of making the software ecosystem safer for everyone. When our researchers discover vulnerabilities — whether through manual analysis, tool-assisted review, or collaborative investigation — we follow a principled, structured disclosure process designed to balance timely remediation with responsible communication.

This policy governs how VulnGuard Labs handles vulnerabilities we discover. If you are an external researcher who has found a vulnerability affecting VulnGuard Labs' own infrastructure or products, please refer to our Responsible Disclosure Policy instead.

Scope

This policy applies to vulnerabilities that VulnGuard Labs researchers discover independently in third-party software, including:

Open-source projects and libraries
Commercial software where authorized testing has been granted
Widely deployed infrastructure components or ecosystem dependencies

This policy does not cover vulnerabilities submitted to us by third parties, which are handled separately under our incoming responsible disclosure process.

Our Commitment

When we report a vulnerability, we commit to the following:

Providing a clear, human-reviewed technical report with reproduction steps
Offering suggested remediation guidance or candidate patches where feasible
Working collaboratively with maintainers and giving credit for fixes
Not weaponizing or exploiting the vulnerability outside of authorized research
Clearly labeling any AI-assisted findings and ensuring all reports include human researcher verification

Disclosure Timeline

We follow an industry-standard 90-day coordinated disclosure framework, with adjustments to account for severity, vendor responsiveness, and ecosystem impact. Our timelines are calculated from the date of initial vendor notification.

Standard 90 days

Public disclosure occurs at 90 days or upon patch release, whichever comes first. We coordinate submission pace with maintainer capacity and avoid flooding projects with multiple reports simultaneously.

Extension Up to +14 days

If a vendor demonstrates active, verifiable progress toward a patch — such as a public commit, a scheduled release, or direct communication — we may extend the deadline by up to 14 additional days.

Critical / Active Exploitation 7 days

Vulnerabilities with a CVSS score of 9.0+ or evidence of active in-the-wild exploitation are subject to a 7-day disclosure target. A single 7-day extension may be granted if a vendor formally requests it and demonstrates an active, emergency remediation effort.

Ecosystem-wide Issues Coordinated

When a vulnerability affects multiple vendors, shared libraries, or protocol implementations, we coordinate notification to all affected parties before any public disclosure, and we work with relevant CERTs or coordinating bodies as appropriate.

Non-responsive Vendors 30-day escalation

If a vendor does not acknowledge or respond to our initial report within 30 days, we will escalate to external bodies (e.g., CERT/CC, relevant national CSIRT) and continue toward the standard 90-day deadline. We will attempt a second notification before escalation.

Technical Details After Patch Release

After a patch is released, VulnGuard Labs generally waits 45 days before publishing full technical write-ups, proof-of-concept code, or detailed exploitation analysis. This buffer allows downstream consumers and distributors time to deploy the fix before attack primitives become public.

This window may be shortened if technical details are independently discovered and published elsewhere, or lengthened in consultation with the vendor when patch complexity warrants additional deployment time.

Reporting Standards

Every vulnerability report we submit meets the following standards:

Human verified: All findings are reviewed and confirmed by a human security researcher before submission, regardless of discovery method.
Reproducible: Reports include enough detail for the vendor to independently reproduce the issue.
Actionable: Where possible, we include a candidate fix or remediation guidance alongside the bug report.
Paced: We do not submit large volumes of reports to a single project simultaneously without prior coordination to avoid overwhelming maintainers.
Transparent about tooling: Reports clearly indicate when AI-assisted tools contributed to discovery, with full human analysis provided.

Legal Safe Harbor

VulnGuard Labs conducts all research in good faith and within the scope of applicable law. We do not access systems or data beyond what is necessary to confirm a vulnerability's existence and impact. We do not retain, sell, or disclose any data obtained during research to unauthorized parties.

We encourage vendors receiving our reports to extend safe harbor protections for independent security researchers conducting good-faith vulnerability research. If you believe our research activities have inadvertently exceeded their intended scope, please contact us immediately at security@vulnguardsec.com so we can address the concern.

Exceptions and Special Cases

We reserve the right to deviate from the standard timeline when circumstances require it:

If a vulnerability is being actively exploited and poses imminent risk to users, we may disclose with minimal or no vendor notice.
If a vendor engages in legal threats, attempts to suppress disclosure, or acts in bad faith, we may accelerate disclosure after consulting legal counsel.
If the technical details become independently public before our deadline, we will disclose without further delay.

Contact

For questions about this policy, to discuss an active disclosure, or to request a timeline extension, please reach out to our security team:

Security Disclosures

security@vulnguardsec.com

PGP Key

Request via email

We aim to acknowledge all disclosures within 2 business days.