Policy
After ZUSO submits the report to the product vendor, the vulnerability will be kept confidential until the date it can be made public. ZUSO then contacts the relevant product vendor by email with the vulnerability report details.
Response timeline
Initial report: ZUSO contacts the affected vendor via [email protected] once we have sufficient vulnerability details on the product, and start calculating the time to fix the vulnerability from the date of contact with the vendor. If the vendor fails to acknowledge ZUSO’s initial notification within five business days, ZUSO will rely on an intermediary to try to contact the vendor. ZUSO may issue a public advisory in 15 days if the vendor still fails to respond.
Confirm vulnerability: Ask the vendor to triage the vulnerability.
Reserve the CVE ID: ZUSO also initiates a CVE ID reservation within five days after having sufficient information on the vulnerability. This step will not reduce the number of repair days.
Public disclosure: ZUSO attaches great importance to responsible disclosure, so we provide 90 days to make the vendors have sufficient time to address remediation. Additionally, our company offers the vendors a 60-day grace period to extend and make an announcement. The extension depends on the severity of vulnerabilities and the remediation progress by the vendors. However, the advisory will be launched to the public 90 days after the initial report.
If ZUSO receives a response from the vendor by the deadline, ZUSO will allow the vendor to extend 60 days to address the vulnerability with a security patch or other appropriate remedy. Suppose the vendor fails to respond by the deadline or fails to provide a reasonable statement that the vulnerability has not been fixed. In that case, ZUSO will not extend the disclosure deadline and meanwhile, we will issue some recommendations to enable community security and protect users. By doing so, the vendor will understand its responsibility for its customers and responds appropriately.