Responsible Disclosure Policy

We dedicate extensive time to research through activities such as vulnerability research and tool development. Our research collection is built upon the accomplishments of our dedicated Baldur team members careers. This is done to stay ahead of the industry and keep our customers secure.

All of our research is subject to responsible disclosure and we are devoted to get vulnerabilities patched so our customers can stay secure.

Responsible Disclosure Process

When a vulnerability is discovered, we utilize the following responsible disclosure process:

1. Notify the vendor: As soon as we can provide a clear picture of the vulnerability, the vendor is notified. We will try to reach out to the vendor in multiple ways, to report the issue
2. Notify our clients: If we have clients affected by the vulnerabilities, we will aim to provide mitigation strategies for them, that do not disclose the security issue.
3. Allow the vendor 90 days to patch: This window is the industry standard for disclosure policies and it is expected that the issue can be addressed in a timely manner within 90 days. This can vary, if certain complex issues are discovered, that needs more time to address.
4. Coordinate the release of the patch: This includes a public disclosure of the vulnerability, coordinated with the vendor, to ensure nothing is disclosed before patches are available.