OffensAI Logo

Vulnerability Disclosure Policy

Last Updated: January 6, 2026

Overview

OFFENSAI is committed to responsible vulnerability disclosure. Our security research team may discover vulnerabilities in cloud platforms, third-party services, and other widely-used systems. When we identify such vulnerabilities, we follow a structured disclosure process that balances the need to protect users with giving vendors adequate time to develop and deploy fixes.

Our policy is modeled after industry-leading practices, including Google Project Zero's disclosure policy, which has proven effective at improving security across the ecosystem while maintaining reasonable timelines.

Standard Disclosure Timeline

90-Day Disclosure Deadline

When our security research team discovers a vulnerability, we will:

  1. Notify the affected vendor promptly with detailed technical information about the vulnerability
  2. Provide 90 days from the date of initial notification for the vendor to develop and release a fix
  3. Publicly disclose the vulnerability after the 90-day deadline, regardless of whether a patch is available

This 90-day window provides vendors with sufficient time to:

  • Analyze and reproduce the vulnerability
  • Develop an appropriate fix
  • Test the fix thoroughly
  • Deploy the patch to affected users

Grace Period for Exceptional Cases

In certain circumstances, we may grant a 30-day grace period beyond the standard 90-day deadline. This extension may be considered when:

  • A fix is actively being developed and is demonstrably close to completion
  • The vendor has shown good faith effort and consistent communication throughout the disclosure process
  • The complexity of the vulnerability reasonably requires additional time
  • Coordinated disclosure with multiple vendors is necessary

The total maximum timeline, including any grace period, will not exceed 120 days from initial notification.

Rationale

We believe in responsible disclosure because:

  • Users deserve protection. Indefinite delays in disclosure leave users vulnerable to attacks from malicious actors who may independently discover the same vulnerability.

  • Deadlines drive action. Fixed timelines encourage vendors to prioritize security fixes and allocate appropriate resources.

  • Transparency improves security. Public disclosure, even of unpatched vulnerabilities, allows users to make informed decisions about their risk exposure and take protective measures.

  • Reasonable timelines matter. While we respect vendors' development cycles, extended delays leave users exposed. The 90-day standard has proven to be a reasonable balance between giving vendors adequate time and protecting users.

What a Typical Disclosure Might Include

  • A description of the vulnerability and its potential impact
  • The date of initial vendor notification
  • The timeline of communications with the vendor
  • Technical details sufficient for users to assess their risk
  • Recommended mitigations, if available
  • Patch information, if a fix has been released

Contact

For questions about this policy:

Email: security@offensai.com

Document Version: 1.0