In parallel to security assessments and security reviews, Shielder actively searches for vulnerabilities in widely-used products.
In case a vulnerability is found, we believe that a transparent disclosure policy is in all the affected parties’ best interest.
Shielder adheres to a 90-day disclosure deadline. We will send the vulnerability details to the vendor using secure channels, e.g. via PGP, whenever possible.
Once the report is sent, we will mark the beginning of the 90 calendar days. After the vulnerability is fixed, or the 90 days have passed (whichever first), we will publish the details to the public. You can find all the published advisories at https://shielder.it/advisories/.
In some cases we may determine that it is in everyone’s best interest to deviate from our policy: for example, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances, such as in-the-wild exploitation reports.
Whenever possible, we will work with the vendor to have a CVE entry assigned to track and provide a precise identifier to each and every finding.