Disclosure of Security Vulnerabilities

The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto. As an academic research institution, the Citizen Lab is committed to the public reporting of all security vulnerabilities that it discovers in the course of its research mandate and will publish all such vulnerabilities on its website after a certain period of time has elapsed.

Initial disclosure to software vendor or other relevant party

Before publicly reporting such vulnerabilities, the Citizen Lab undertakes to generally initially disclose the security vulnerability to an appropriate party (such as the vendor that designed and manages the relevant software) as expeditiously as possible so that it may be addressed.

Timeline to public disclosure

The Citizen Lab will provide responsive parties with 45 calendar days (which begins from the initial alert sent by the Citizen Lab to the party regarding the existence of the vulnerability) to fix the identified vulnerability. After this period of time, and regardless of whether the vulnerability is addressed in whole or in part by the relevant party, the Citizen Lab will aim to publish details regarding the vulnerability on its website. Note that this timeline to general disclosure of the vulnerability may be accelerated or extended in certain circumstances, such as where the third party has since disclosed the vulnerability to the general public, the third party has patched the vulnerability, the third party has taken the position that there is no security vulnerability, or the Citizen Lab observes the vulnerability under active exploitation.

Questions or concerns

Any questions or concerns regarding vulnerability disclosure by the Citizen Lab should be addressed to inquiries@citizenlab.ca. The Citizen Lab maintains a GitHub repository with details of publicly reported vulnerabilities.

Last updated: November 19, 2020