Vulnerability Disclosure Policy

⚡Join us Sept. 11 to learn how Archaea Energy secures complex IT/OT networks. Register Now

Overview
Complete security visibility across IT, OT, IoT, cloud, mobile, and remote assets.
Integrations
runZero seamlessly integrates with a wide variety of tools, enhancing network visibility, enriching asset data, and uncovering control gaps.
Community Edition
Our completely free version of the runZero Platform is ideal for home use and environments with fewer than 100 assets.

Welcome to the new era of exposure management

Check out our launch video to see how we're fixing what’s broken with vulnerability management & overcoming persistent problems.

Watch Now

Solutions
Gain visibility, control the unknowns, and ensure compliance with confidence.
Regulatory Compliance
Ensure compliance and stay resilient against evolving cyber threats.
- DORA
- NIST CSF & 800-171
- NIS2
- NYDFS
- PCI DSS

It’s time to move away from legacy vulnerability management

Legacy vulnerability scanners were built for a different time — when networks had clear perimeters, assets were reachable, and credential-based scanning was feasible across the board. That world doesn’t exist anymore.

Resource Center
Dive into a treasure trove of resources to expand your exposure management knowledge.
runZero Research
Explore the world of exposure management through the runZero lens.
runZero Blog
See what's happening at runZero and read up on the latest ideas, opinions, and articles from our experts and researchers.
- The New Era of Exposure Management
- Read About Our New Product Release
Support Resources
Everything you need to maximize your experience with the runZero Platform.

How Archaea Energy secures complex IT/OT environments

Join our live webcast on September 11 to learn how Archaea Energy, a BP subsidiary, tackled complex IT/OT vulnerability management challenges head-on with runZero. Save your spot for this impactful webcast!

Our Customers
Our customers are everything. We're super proud to be trusted by leading organizations around the globe to help them improve their security.
Case Studies
See how runZero has empowered security teams to take control of their networks, uncover their unknowns, and save significant time and money.
Testimonials
Read reviews of the runZero Platform and see how teams have improved their security with our technology.

runZero confirmed safe for OT environments by the U.S. Department of Energy

runZero’s active scanning methods improve visibility with no impact on the performance of ICS or ongoing supervisory control and data acquisition processes and communications.

Read the Report

About Us
Wondering who the heck are these people? Meet the team and get the story behind runZero... once upon a time called Rumble.
Events
Track down runZero Yetis in the wild! Join us in-person or virtually at one of our upcoming events.
Investors
Meet the cybersecurity investors, trailblazers, and innovators who help us navigate our journey and the evolving security landscape.
Newsroom
Read the latest articles, announcements, and press releases from runZero.
Careers
Want to join our forces? We're looking for bright minds and passionate souls who want to write the next chapter in exposure management.

Poking the bear (safely): runZero’s new Nuclei integrations!

Join us on September 17 for the next episode of runZero hour, where Rob King and Tod Beardsley take a thrilling deep dive into what’s new with runZero’s integrations with Nuclei. We’re going all in on open-source!

Infinity Partner Program
See how we can work together to provide best-in-class security solutions and outcomes for our joint customers.
Partner Directory
Explore our directory of trusted (and awesome) partners.
Partner Sign In
Sign in to our Infinity Partner Portal.

Join our Infinity Partner Program

Designed with a partner-first mindset, the runZero Infinity Partner Program offers incredibly valuable resources, relationships, and rewards to partners who choose to grow their business with us.

Become a runZero Partner

runZero, Inc. believes that coordinated, timely disclosure of security vulnerabilities is in the best interest of the public and our customers. runZero security experts regularly identify and observe security vulnerabilities while researching protocol implementations and studying root causes of various technical issues during the normal course of business.

For vulnerabilities that are identified or observed during the normal course of research and development work, we may collaborate on disclosing these vulnerabilities with appropriate stakeholders, such as the technology provider, our own customers with vulnerable implementations, and coordination bodies such as US CISA, TWCERT/CC, ENISA, and other regional vulnerability coordinators, as appropriate. runZero will not disclose vulnerabilities to US-sanctioned entities, such as those listed by OFAC.

The process for disclosing vulnerabilities discovered or observed by runZero typically takes 60 days or less, and will consist of the following steps:

runZero will make a best-effort attempt to identify and contact the appropriate technology provider by email, telephone, or, in rare cases, registered US mail.
In the event runZero receives a response and confirmation from the appropriate technology provider in Step 1, runZero will provide detailed information about the vulnerability to that technology provider, as well as a proposed timeline of public disclosure.
Within five calendar days of the disclosure deadline proposed in step 2, runZero will request a CVE identifier for the issue, when appropriate.
On the 61st day after initial disclosure, runZero may publish an advisory regarding the details of the issue, with enough information for affected users and third parties to validate and remediate the vulnerability. These advisories may include proof-of-concept code (PoCs) and likely indicators of compromise (IOCs). This advisory may be made available to the general public.
Finally, runZero may extend deadlines for extenuating circumstances articulated by the technology provider, on a good-faith basis. Note that if vulnerability details are made publicly available, through an advisory or patch, runZero may immediately disclose the vulnerability details which were shared in step 2.

The above procedure is subject to change in light of new information or details and to accommodate weekends, holidays, and extenuating circumstances. Technology vulnerabilities often represent undefined, surprising, and undesirable behavior, so runZero will strive to be sufficiently agile in the defense of customers, providers, users, and the general public in the face of unforeseen circumstances.

For questions and comments about this VDP, please reach out to security@runzero.com. Our PGP key is linked from https://runzero.com/.well-known/security.txt if you feel more comfortable encrypting beyond the normal STARTTLS privacy guarantees.

Join us on September 11 for our live webcast with Archaea Energy!