Reporting Security Issues

If you believe you have discovered a vulnerability in the CyCognito platform or have a security incident to report, send us an email to report it. Upon receipt of your message we will send an automated reply that includes a tracking identifier.


CyCognito’s responsible disclosure policy

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why CyCognito uses a 90-day disclosure timeline. We promptly notify vendors of vulnerabilities upon our discovery and validation with details normally shared in public with the defensive community after 90 days from our notification to the vendor, or sooner if the vendor releases a fix before that time.

 

That 90-day disclosure timeline may vary in the following ways:

  • If the 90-day timeline is due to expire on a weekend or US public holiday, the period will be extended to the next normal work day.

  • Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 30 days following the end of the 90-day period, we will delay the public disclosure until the availability of the patch.

  • When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a “0day”), we believe that more urgent action—within 30 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts may be compromised. As a result, after 30 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.


As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. CyCognito expects to be held to the same standard.


This policy is strongly in line with our desire to improve industry response times to vulnerabilities, but also results in softer landings for vulnerabilities marginally over the 90-day timeline. We call on all researchers to adopt vulnerability disclosure policies as well. Reducing timelines for fixes will result in smaller windows of opportunity for vulnerabilities to be exploited.