Vulnerability Disclosure Policy

 
 
Soluble is dedicated to improving the security of the internet. To this end, we advocate responsible disclosure on behalf of researchers and vendors. We notify vendors of vulnerabilities immediately and share details with the public after 90 days, or sooner if the vendor releases a fix prior to the end of this timeline. The deadline may vary in the following ways:
 
  • If a deadline would expire on a weekend or US public holiday, the deadline will be moved to the next working day.
  • If a vendor notifies us that a patch will be released within 14 days following the deadline, we will delay the disclosure until the patch has been released.
  • When we observe a previously unknown and unpatched vulnerability under active exploitation (a “zero-day”), we believe that more urgent actionwithin 7 daysis appropriate. Each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to distribute updates for their products, but it should be enough time to publish advice about mitigation strategies, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. After seven days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.


CVEs are an industry standard for identifying unique instances of vulnerabilities in software. To prevent confusion, it is important that vulnerabilities are assigned a CVE and referenced when first disclosed. Soluble contacts MITRE to assign CVEs for vulnerabilities when the vulnerabilities meet MITRE’s criteria.
 
If a vendor is unresponsive, Soluble will send a notification to US CERT 14 days after the first attempt to contact the vendor.
 
We reserve the right to accelerate or slow disclosure deadlines in extreme and unique circumstances. We remain committed to treating all vendors equally, and Soluble holds itself to this same standard. This policy aligns with Soluble’s goal of improving industry security and response time.
 
Companies are made of people, and we're all humanwe all make mistakes. No organization or individual is infallible. What is important is how we conduct ourselves when correcting deficiencies of the past. 
 
View Soluble CVEs, research, and advisories authored by our security team here.
 
Report a vulnerability in a Soluble asset