Vulnerability Disclosure Policy

At ThreatStrike, we take the security of our systems, services, and clients very seriously. We recognize the importance of working cooperatively and transparently with security researchers, vendors, and affected parties to identify and resolve vulnerabilities in a responsible and timely manner.

This Vulnerability Disclosure Policy outlines our commitment to responsible (also known as "coordinated") disclosure. It describes the steps we take when a security issue is reported, our expectations regarding communication and timelines, and the conditions under which we make public disclosures.

Commitment to Coordinated Disclosure

We adhere to widely accepted industry standards for vulnerability disclosure. As part of our process:

  • We notify the affected vendor or service provider as soon as we have confirmed the presence of a vulnerability.
  • We provide sufficient technical detail to allow the vendor to understand, reproduce, and begin remediation of the issue.
  • We allow the vendor a standard remediation window of 90 calendar days from the date of our initial disclosure, after which we may publish the vulnerability details unless an exception applies.
  • If the vendor releases a fix before the 90-day period ends, we may publish the disclosure sooner, in alignment with the release of the fix.

Exceptions to the 90-Day Policy

While our default disclosure timeline is 90 days, we recognize that flexibility is occasionally warranted. The following exceptions may apply:

  • If the scheduled deadline falls on a weekend or a United States federal holiday, the deadline will automatically roll over to the next business day.
  • If the vendor communicates to us, prior to the deadline, that a fix is scheduled to be released within 14 days after the 90-day window, we will generally delay public disclosure to coincide with the release of the fix.
  • In cases where we observe an unpatched, unknown vulnerability (commonly referred to as a “zero-day”) actively being exploited in the wild, we believe an expedited disclosure timeline of seven (7) days is appropriate. The rationale is simple: every additional day of silence increases the number of at-risk users and systems. After this 7-day period, if a patch or public advisory has not been released by the vendor, we may publicly disclose limited technical details to empower users to take self-protective action.

For actively exploited vulnerabilities, we strongly encourage vendors to provide interim guidance to users (e.g., temporary mitigations, configuration changes, or availability of hotfixes) even if a full patch is not yet available.

CVE Assignment and Tracking

We support the Common Vulnerabilities and Exposures (CVE) system as the industry standard for identifying and cataloging publicly known cybersecurity issues. Whenever possible, we ensure that a CVE identifier is pre-assigned and included in the first public disclosure of a vulnerability, to minimize confusion and facilitate consistent communication across the industry.

Escalation to CERT/CC for Non-Responsive Vendors

If a vendor fails to acknowledge or respond to our initial contact attempts within fifteen (15) calendar days, we reserve the right to escalate the issue to the CERT Coordination Center (CERT/CC) or an equivalent national incident response organization. We do this to ensure that vulnerabilities are addressed in a timely and responsible manner, even if the vendor is initially unresponsive.

Right to Adjust Timelines Based on Circumstances

While we aim to maintain consistent treatment across all vendors and scenarios, we reserve the right to adjust the standard disclosure timeline (either shortening or extending it) based on exceptional circumstances, including but not limited to:

  • The potential severity and impact of the vulnerability
  • Evidence of active exploitation or imminent threat
  • Unusual vendor behavior, such as extended silence or bad faith engagement
  • Requests from coordinated disclosure partners, government agencies, or industry peers

We strive to treat all vendors equally and without preference, and our disclosure practices are guided by the principles of fairness, user protection, and long-term improvement in the software security ecosystem.

How to Report a Vulnerability to ThreatStrike

If you have discovered a security vulnerability in a ThreatStrike-managed system, application, or asset, we encourage you to report it promptly and responsibly. Please submit your report via our secure disclosure portal:

Submit a Vulnerability Report

We appreciate the efforts of independent security researchers and will engage in good faith to validate, acknowledge, and address reported vulnerabilities in accordance with this policy.

Ongoing Vulnerability Advisories

For a list of vulnerabilities disclosed by ThreatStrike researchers, including links to published CVEs and technical advisories, please refer to:

ThreatStrike Vulnerability Advisories

Thank you for helping us improve the safety and security of the digital ecosystem.