We're committed to responsible disclosure. We give people every opportunity to fix problems in their software before we publish those problems for the world to see (and for the bad actors to exploit). But we're also committed to protecting what's important to our customers, and to the security of the public at large. So we will:
- Tell vendors directly or through a responsible third party (such as CERT/CC) about any vulnerabilities we find in their software before we publicly disclose those vulnerabilities; we work with vendors to help them fix their problem in a reasonably timely fashion.
- If we coincidentally find vulnerabilities in publicly available software or hardware in the course of our work for a customer, provide our customer the details necessary for them to defend themselves, while at the same time reporting the vulnerability to the responsible vendor so the larger community can be protected.
- Release details of the vulnerability to the public when the vendor makes a fix available, or after we determine in good faith that the vendor has no realistic intention of fixing their product, or when exploits are widely and publicly available, or when disclosing the vulnerability can prevent a clear and present danger to the public.