If you believe you have discovered a vulnerability in the CyCognito platform or have a security incident to report, send us an email to report it. Upon receipt of your message we will send an automated reply that includes a tracking identifier.
We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why CyCognito uses a 90-day disclosure timeline. We promptly notify vendors of vulnerabilities upon our discovery and validation with details normally shared in public with the defensive community after 90 days from our notification to the vendor, or sooner if the vendor releases a fix before that time.
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. CyCognito expects to be held to the same standard.
This policy is strongly in line with our desire to improve industry response times to vulnerabilities, but also results in softer landings for vulnerabilities marginally over the 90-day timeline. We call on all researchers to adopt vulnerability disclosure policies as well. Reducing timelines for fixes will result in smaller windows of opportunity for vulnerabilities to be exploited.