Vulnerability Disclosure Policy
At ZDaylabs, we are committed to responsible vulnerability disclosure. This policy outlines our approach to reporting security vulnerabilities to software vendors and our disclosure timeline.
Our Commitment
We believe in coordinated disclosure that balances the need for transparency with responsible security practices. Our goal is to help improve the security of software systems while giving vendors adequate time to address vulnerabilities.
Disclosure Timeline
90-Day Standard Window
We operate under a 90-day disclosure window from the date of initial vendor notification. This timeline allows vendors sufficient time to:
- Acknowledge and verify the vulnerability
- Develop and test appropriate fixes
- Coordinate release schedules
- Prepare security advisories
Reserved Rights
Important: While we typically adhere to the 90-day window, ZDaylabs reserves the right to disclose vulnerabilities before the 90-day period under the following circumstances:
- Active exploitation of the vulnerability is detected in the wild
- The vulnerability poses an immediate and severe threat to users
- Vendor becomes unresponsive or refuses to acknowledge the issue
- Vendor requests unreasonable delays without justification
- Public disclosure would serve the greater security interest
Disclosure Process
Initial Contact
We will make reasonable efforts to contact vendors through official security channels, including:
- Dedicated security email addresses
- Bug bounty platforms
- Security contact forms
- Direct communication with security teams
Information Provided
Our initial disclosure will include:
- Detailed vulnerability description
- Proof-of-concept (when appropriate)
- Impact assessment
- Suggested remediation steps
- Our intended disclosure timeline
Coordination
We are committed to working collaboratively with vendors throughout the disclosure process. This includes:
- Regular status updates
- Clarification of technical details when needed
- Reasonable timeline adjustments for complex fixes
- Coordination on public disclosure timing
Public Disclosure
After the disclosure window expires or early disclosure conditions are met, we will publish:
- Technical analysis of the vulnerability
- Proof-of-concept code (when appropriate)
- Timeline of vendor communication
- Remediation guidance for users
Scope
This policy applies to Security vulnerabilities discovered during our research, which includes:
- Third-party software and systems
- Web applications, mobile apps, and infrastructure
- Open source and commercial software
Contact Information
For questions about this policy or to report security issues to us, please contact:
Email: research@ZDaylabs.com
PGP Key: Available upon request
Policy Updates
This policy may be updated periodically to reflect changes in our disclosure practices or industry standards. The latest version will always be available on this page.
Last updated: January 2025