Vulnerability Research and Responsible Disclosure Policy

CyberDagger's policy for coordinated vulnerability disclosure, research timelines, and vendor engagement.

Purpose

This policy outlines how CyberDagger handles responsible Coordinated Vulnerability Disclosure (CVD) to vendors, customers, and the general public. CyberDagger believes that effective defense depends on broad access to adversarial knowledge and tooling. Our research teams work to responsibly expose techniques that might otherwise remain exclusive to malicious actors, enabling defenders to better identify, prioritise, and mitigate critical vulnerabilities. Publishing high-quality research and, where appropriate, proof-of-concept exploit code is central to CyberDagger’s mission of strengthening global cybersecurity resilience.

As security software developers, we understand the importance of protecting the privacy and security of all technology users, not just our customers. We practice and advocate for responsible disclosure across both third-party technologies and our own systems. This includes vulnerabilities identified within client environments. We believe that this is best achieved through a coordinated vulnerability disclosure process.

CyberDagger’s coordinated vulnerability disclosure approach includes provisions for accelerated disclosure when vulnerabilities are being exploited or are likely to be weaponised. While vendors may balance operational and reputational considerations, CyberDagger prioritises informing affected parties and the broader community so they can take appropriate defensive action.

Coordinated Vulnerability Disclosure Overview

Coordinated vulnerability disclosure processes encourage researchers and vendors to coordinate their efforts, with the focus being on providing the best level of protection for the broadest range of technology users, while doing so in a timely manner. If we discover a vulnerability in a third-party product or service, we will make extensive attempts to locate and inform the affected vendors, work cooperatively with them toward a suitable resolution of the vulnerability, and withhold public disclosure of the vulnerability for certain amounts of time depending on several factors.

In alignment with established industry practices (including CERT/CC guidelines and ISO 29147 / ISO 30111 standards), CyberDagger typically publishes vulnerability advisories approximately 60 days after initial private disclosure, unless exceptional circumstances warrant deviation. Advisories are shared through official CyberDagger communication channels and, where appropriate, through media engagement.

Below are CyberDagger’s discovery, reporting, mitigation, and disclosure timelines as applicable to common types of vulnerabilities. However, given the complexity and variability of vulnerabilities, CyberDagger reserves the right to adjust disclosure timelines at its discretion.

A. Default Policy Applicable to All Vulnerabilities

  • CyberDagger LLC will confidentially disclose vulnerabilities to the organisation best positioned to remediate them (“responsible organisation”) exclusively via email communications.
  • If applicable, CyberDagger will reserve a CVE identifier.
  • After 15 days, CyberDagger may notify CERT/CC if the responsible organisation has not acknowledged the disclosure.
  • After 60 days, CyberDagger will publicly disclose vulnerability details, including CVE information, risk assessment, impact, and mitigation guidance.
  • During the coordination window, CyberDagger expects good-faith remediation efforts and may keep CERT/CC informed of progress.
  • If any patch is released, regardless of whether it was privately disclosed or not, CyberDagger will treat such patch as a public disclosure and may publish vulnerability details within 24 hours.
  • Duplicate vulnerability reports do not affect established disclosure timelines.

B. Special Cases

CyberDagger’s Default Policy will apply to all vulnerabilities, but the disclosure timelines below will control for any of the respective vulnerabilities listed.

Exploited in the Wild

When active exploitation is observed:

  • CyberDagger will aim to notify CERT/CC and publicly disclose vulnerability details within approximately 7 days of notifying the responsible organisation, regardless of patch availability.
  • When possible, directly affected organisations will be notified prior to public disclosure.

Patch Bypasses

When a fix is incomplete or ineffective:

  • A new CVE identifier may be issued referencing the original vulnerability.
  • CyberDagger will notify the responsible organisation and CERT/CC concurrently.
  • Disclosure may occur immediately or within up to 45 days, depending on severity and risk.

Cloud / Hosted Vulnerabilities

When remediation is solely the responsibility of the service provider:

  • CyberDagger may choose not to reserve a CVE.
  • If resolved within the 60-day coordination window, public disclosure will be evaluated on a case-by-case basis.
  • If unresolved, standard disclosure timelines apply.

Kinetic (Safety-Critical) Vulnerabilities

For vulnerabilities impacting human health or safety:

  • CyberDagger will disclose details 30 days after a fix is generally available.
  • Coordination with relevant government agencies and CERT/CC may occur.
  • If exploitation is observed, accelerated disclosure procedures apply.

Low-Impact Vulnerabilities

For minimal-risk issues:

  • CyberDagger may choose not to involve CERT/CC and public disclosure may be deferred or omitted unless the risk profile changes.

No Responsible Organisation

For abandoned, unsupported, or non-responsive software:

  • CyberDagger will publish vulnerability details approximately 45 days after notifying CERT/CC, or in accordance with a mutually agreed timeline.

Multi-Faceted Vulnerabilities

When multiple categories apply:

  • The shortest applicable disclosure timeline will take precedence.

Disclosure Independence

Because CyberDagger’s primary objective is to ensure vulnerabilities are remediated and that affected parties understand the associated risks, CyberDagger will not participate in any vulnerability disclosure programme that prohibits public disclosure or attempts in any way to control CyberDagger’s work. If a responsible organisation states that they do not intend to remediate or issue an advisory for a reported vulnerability, the coordinated disclosure timeline will no longer apply.

Contact

Through our vulnerability research and responsible disclosure efforts, we strive to enhance the security of software systems and protect users from potential threats. If you have any questions about this policy or if you are a vendor seeking assistance with a reported vulnerability, please contact us.

This policy will be reviewed periodically and may be updated to ensure its effectiveness and alignment with current standards.

Ready to Work Together?

Contact CyberDagger to discuss your cybersecurity needs.

Contact Us