Unciphered’s Vulnerability Disclosure Policy

Because of the nature of crypto exploits giving attackers the ability to steal vast amounts of value nearly instantaneously this is our Vulnerability Disclosure Policy with vendors.

1. Disclosure Deadline of 30 days. If an issue remains unpatched after 30 days, technical details are published immediately. If the issue is fixed within 30 days, technical details are published 30 days after the fix. A 14 day grace period is allowed.

2. Disclosure deadline of 7 days for issues that are actively being exploited in-the-wild and critical (cryptographic breaks, rapid seed extraction, etc.) against users, local and remote. If an issue remains unpatched after 7 days, technical details are published immediately. If the issue is fixed within 7 days, technical details are published after 30 days after the fix.

3. Vendors can request a 3 day grace period for in-the-wild bugs.

   If a grace period is is granted, it uses up a portion of the 30-day patch adoption period. (e.g. Patching on day 50 in grace period, disclosure on day 64)