Vulnerability Disclosure Policy

runZero, Inc. believes that coordinated, timely disclosure of security vulnerabilities is in the best interest of the public and our customers. runZero security experts regularly identify and observe security vulnerabilities while researching protocol implementations and studying root causes of various technical issues during the normal course of business.

For vulnerabilities that are identified or observed during the normal course of research and development work, we may collaborate on disclosing these vulnerabilities with appropriate stakeholders, such as the technology provider, our own customers with vulnerable implementations, and coordination bodies such as US CISA, TWCERT/CC, ENISA, and other regional vulnerability coordinators, as appropriate. runZero will not disclose vulnerabilities to US-sanctioned entities, such as those listed by OFAC.

The process for disclosing vulnerabilities discovered or observed by runZero typically takes 60 days or less, and will consist of the following steps:

1. runZero will make a best-effort attempt to identify and contact the appropriate technology provider by email, telephone, or, in rare cases, registered US mail.

2. In the event runZero receives a response and confirmation from the appropriate technology provider in Step 1, runZero will provide detailed information about the vulnerability to that technology provider, as well as a proposed timeline of public disclosure.

3. Within five calendar days of the disclosure deadline proposed in step 2, runZero will request a CVE identifier for the issue, when appropriate.

4. On the 61st day after initial disclosure, runZero may publish an advisory regarding the details of the issue, with enough information for affected users and third parties to validate and remediate the vulnerability. These advisories may include proof-of-concept code (PoCs) and likely indicators of compromise (IOCs). This advisory may be made available to the general public.

5. Finally, runZero may extend deadlines for extenuating circumstances articulated by the technology provider, on a good-faith basis. Note that if vulnerability details are made publicly available, through an advisory or patch, runZero may immediately disclose the vulnerability details which were shared in step 2.

The above procedure is subject to change in light of new information or details and to accommodate weekends, holidays, and extenuating circumstances. Technology vulnerabilities often represent undefined, surprising, and undesirable behavior, so runZero will strive to be sufficiently agile in the defense of customers, providers, users, and the general public in the face of unforeseen circumstances.

For questions and comments about this VDP, please reach out to security@runzero.com. Our PGP key is linked from https://runzero.com/.well-known/security.txt if you feel more comfortable encrypting beyond the normal STARTTLS privacy guarantees.