This policy outlines how the Zero Day Initiative (ZDI) handles responsible vulnerability disclosure to product vendors,
TippingPoint customers, security vendors and the general public. ZDI will responsibly and promptly notify the appropriate
product vendor of a security flaw with their product(s) or service(s). The first attempt at contact will be through any
appropriate contacts or formal mechanisms listed on the vendor Web site, or by sending an e-mail to
security@, support@, info@, and email@example.com with the pertinent information about the vulnerability.
Simultaneous with the vendor being notified, TippingPoint may distribute vulnerability protection filters to its
customers through the Digital Vaccine service.
If a vendor fails to acknowledge ZDI initial notification within five business days, ZDI will initiate a second
formal contact by a direct telephone call to a representative for that vendor. If a vendor fails to respond after an
additional five business days following the second notification, ZDI may rely on an intermediary to try to establish
contact with the vendor. If ZDI exhausts all reasonable means in order to contact a vendor, then ZDI may issue a public
advisory disclosing its findings fifteen business days after the initial contact.
If a vendor response is received within the timeframe outlined above, ZDI will allow the vendor 4-months to address
the vulnerability with a patch. At the end of the deadline if a vendor is not responsive or unable to provide a
reasonable statement as to why the vulnerability is not fixed, the ZDI will publish a limited advisory including
mitigation in an effort to enable the defensive community to protect the user. We believe that by doing so the vendor
will understand the responsibility they have to their customers and will react appropriately.
We realize some issues may take longer than the deadline due to complexity and compatibility reasons and we are
willing to work with vendors on a case-by-case basis. To maintain transparency into our process, if any vulnerability
is given an extension we plan on publishing the communication we've had with the vendor regarding the issue once it is
patched. We hope that this level of insight into our process will allow the community to better understand some of the
difficulties vendors have when remediating high-impact bugs. ZDI will make every effort to work with vendors to ensure
they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or
chooses not to, patch a particular security flaw, ZDI will offer to work with that vendor to publicly disclose the flaw
with some effective workarounds. In no cases will an acquired vulnerability be 'kept quiet' because a product vendor
does not wish to address it.
Before public disclosure of a vulnerability, ZDI may share technical details of the vulnerability with other
security vendors who are in a position to provide a protective response to a broader user base. Such a security
vendor must show they are able to provide security protection for vulnerabilities, while at the same time not revealing
the technical vulnerability details in their product updates.
ZDI will formally and publicly release its security advisories on its Web site and on selected security
mailing list outlets.