AO Labs Vulnerability Disclosure Policy
- We believe that vulnerability disclosure is a two-way street. SaaS application providers, as well as AO Labs researchers and engineers, must act responsibly. This is why AppOmni adheres to a 90-day disclosure deadline. We notify SaaS application providers of vulnerabilities immediately, with details shared in public after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:
- If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal work day.
- Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
- When we observe a previously unknown and unpatched vulnerability in a SaaS application provider which is under active exploitation (a “0day”), we believe that more urgent action—within 7 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more data will be compromised. 7 days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support AO Labs researchers and engineers making details available so that companies can take steps to protect themselves.
As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all SaaS application providers strictly equally.
Disclosure Deadlines
- Disclosure deadline of 90 days. If an issue remains unpatched after 90 days, technical details are published immediately. If the issue is fixed within 90 days, technical details are published 30 days after the fix. A 14-day grace period* is allowed.
Earlier Disclosure for Active Exploitation
- Disclosure deadline of 7 days for issues that are being actively exploited in-the-wild against users. If an issue remains unpatched after 7 days, technical details are published immediately. If the issue is fixed within 7 days, technical details are published 30 days after the fix. Vendors can request a 7-day grace period* for in-the-wild bugs.
Grace Period Details
- If a grace period* is granted, it uses up a portion of the 30-day patch adoption period. (e.g. Patched on Day 100 in grace period, disclosure on Day 120)
