Vulnerability Disclosure Policy
Trail of Bits is committed to the coordinated disclosure of vulnerabilities, which helps protect clients, vendors, and downstream users. As a security research company, we regularly develop analysis methods and tooling that discovers vulnerabilities in production systems. This policy describes how Trail of Bits handles the disclosure of these vulnerabilities.
Trail of Bits follows a 90+30 disclosure deadline policy similar to Project Zero, meaning a vendor has 90 days after Trail of Bits notifies them about a security vulnerability to make a patch available to users. If the vendor makes a patch available within 90 days, Trail of Bits will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.
If a vendor is unable to make a patch available in 90 days, but will make a patch available within an additional 14 days, Trail of Bits may grant a grace period to the vendor upon request. In this case, Trail of Bits will publicly disclose details of the vulnerability 104 days after the vulnerability was initially disclosed to the vendor.
Trail of Bits and the affected vendor can mutually agree to release details of a vulnerability earlier than the date indicated by policy.
If the vendor is unable to patch an issue within the initial 90 days and has not attempted to communicate an alternative timeline, Trail of Bits will make the details of the vulnerability public at the end of the 90-day period.
We reserve the right to alter deadlines in exceptional situations, either advancing the release (e.g., if we find evidence that a vulnerability is being actively exploited against real users “in the wild”) or delaying the release (e.g., it is evident that an issue is sufficiently severe or the fix is sufficiently complex). If a bug affects multiple vendors, we reserve the right to work with an external coordinator for support, such as CERT/CC or US-CERT.
Trail of Bits is a transparent company that believes in sharing our ideas, knowledge, and tools publicly for the benefit of the security community. We believe that publishing the details of our disclosed vulnerabilities provides significant educational value to the community, and regularly publicize the details of our vulnerability disclosures. Examples of vulnerabilities we have previously disclosed can be viewed in the “Vulnerability Disclosure” category on our company blog and “Disclosures” in our publications repository.