Initial disclosure to software vendor or other relevant party

Before publicly reporting such vulnerabilities, the Citizen Lab undertakes to generally initially disclose the security vulnerability to an appropriate party (such as the vendor that developed and manages the relevant software) as expeditiously as possible so that it may be addressed.

Timeline to public disclosure

The Citizen Lab will provide responsive parties with 45 calendar days (which begins from the initial alert sent by the Citizen Lab to the party regarding the existence of the vulnerability) to fix the identified vulnerability. After this period of time, and regardless of whether the vulnerability is addressed in whole or in part by the relevant party, the Citizen Lab will aim to publish details regarding the vulnerability on its website. Note that this timeline to general disclosure of the vulnerability may be accelerated or extended in certain circumstances, such as where the third party has since disclosed the vulnerability to the general public, the third party has patched the vulnerability, the third party has taken the position that there is no security vulnerability, or the Citizen Lab observes the vulnerability under active exploitation.

Questions or concerns

Any questions or concerns regarding security vulnerability disclosure by the Citizen Lab should be addressed to [email protected]. 

The Citizen Lab maintains a GitHub repository with details of publicly reported vulnerabilities.