Coordinated Disclosure

When we find a vulnerability, we notify the vendor privately and allow a reasonable window for remediation before any public disclosure.

Reasonable means exactly what it sounds like. We're not in a rush, though we're not infinitely patient either.

If a vendor is actively working the problem, we'll work with them.

The security community and the public have a right to know about vulnerabilities that affect them — but that needs to be balanced against giving vendors a fair chance to fix things first.

If you've found something that concerns one of our systems, we'd genuinely like to hear about it.

Encrypt to our public key and send to labs at… you know the rest.