The vulnerability disclosure policy of security vulnerabilities found by this site's owner.
Before publicly reporting such vulnerabilities, the owner of this site (also known as the bug reporter) generally discloses the security vulnerability initially to an appropriate party (such as the vendor that designed and manages the relevant software) as expeditiously as possible so that the issue may be addressed.
All parties will be given 45 days (which begins from the initial alert sent to the party regarding the existence of the vulnerability, through appropriate means, that includes, but not limited to emails and bug tracking softwares)
However, the timeline may be altered due (but not limited) to the following reasons:
Where the third party has already disclosed the vulnerability to the general public;
Where the third party has patched such vulnerability;
Where the third party takes a denial position of such security vulnerability;
Where the vulnerability is actively exploited in the wild;
Where the third party takes a position of not to disclose it under certain conditions, which the condition is mutually agreed between the bug reporter and the other members of the public, which may be due to:
the vulnerability not instantly patchable, and the reveal of such loopholes may lead to unintended consequences, such as the endangerment of personnels;
bound by contracts that contain NDAs. Should that be the case, the timeframe can be extended to 90 days.
This may result in:
The vulnerability may be disclosed in less than, or longer than 45 days from the first notice to relevant parties
Any concerns or questions regarding vulnerability disclosures should be addressed to bugs@wchan.hk.