At Aura, we believe that vulnerability disclosure is a two-way street. It requires responsible behaviour from both vendors and researchers. With that in mind, we adopt a 90-day disclosure deadline, during which we notify vendors of any vulnerabilities we find. Details of these vulnerabilities are shared publicly with the defensive community after 90 days, or sooner if the vendor releases a fix.
The 90-day deadline can be adjusted in the following situations:
Weekends and Public Holidays: If a deadline is due to fall on a weekend or a public holiday, the deadline will be moved to the next regular work day.
Patch Release: If a vendor informs us that a patch is scheduled for release on a specific day within 14 days following the deadline, we will delay public disclosure until the patch is available.
Zero-Day Exploits: In cases where we find a previously unknown and unpatched vulnerability in software that is actively being exploited (a “0day”), we believe a more immediate action is required. We will strive to respond within 7 days. Each day an actively exploited vulnerability remains undisclosed and unpatched, more devices or accounts could be compromised. If after 7 days there is no patch or advisory from the vendor, we support researchers disclosing details to allow users to take steps to protect themselves.
Aura reserves the right to adjust deadlines based on extreme circumstances. We believe in fairness and equality, and therefore commit to treating all vendors strictly equally. Aura holds itself to the same standards it expects from other entities.
This policy aligns with Aura’s commitment to improve industry response times to security vulnerabilities, while providing a more flexible handling of vulnerabilities that marginally miss the deadline. We urge all researchers to adopt disclosure deadlines in some form, and they are welcome to adopt our policy verbatim if they find our practice and reasoning compelling.
By pushing for more timely fixes, we can reduce the window of opportunity for malicious actors to exploit vulnerabilities. In our view, vulnerability disclosure policies like ours result in a safer digital environment for all internet users.