Vulnerability Disclosure Policy (45+30)

Updated on 5/1/2024

This policy outlines Rhino Security Labs’ approach to vulnerability disclosure, providing a timeline for vendors to respond and remediate.

Upon identifying and reporting a vulnerability to a vendor, we initiate a 45-day countdown for the vendor to develop and release a patch addressing the identified issue.

If the vendor successfully patches the vulnerability within the 45-day timeframe, we will publicly disclose the vulnerability 30 days after the patch is released. 

This gap aims to provide users adequate time to apply the patch, enhancing their security posture before the vulnerability details become public knowledge.

If a vendor does not patch the vulnerability within the initial 45-day window, we will proceed with public disclosure immediately following the 45-day period. 

Examples

• If a vendor issues a patch 35 days after Rhino’s initial vulnerability disclosure, public disclosure would be scheduled for day 65.
• If no patch has been released 45 days after Rhino’s initial vulnerability disclosure,  public disclosure would occur on day 45.

Accelerated Disclosure

Rhino Security Labs reserves the right to publicly disclose ahead of schedule in unique circumstances, such as active exploitation or a public exploit.  Such disclosures aim to equip the community with information necessary for risk mitigation.