Pretera is committed to address and report any identified security issues through a coordinated and constructive approach. We believe in coordinated disclosure and work closely with vendors and clients to patch vulnerabilities promptly. We adhere to the industry-standard 90-day disclosure deadline. Vendors and clients are notified of vulnerabilities immediately, with details shared publicly after 90 days, or sooner if the vendor releases a fix before the end of the timeline.

Deadline Variations

The 90-day deadline can vary in the following ways:

• If a deadline is due to expire on a weekend or public holiday, the deadline will be moved to the next workday.
• Before the 90-day deadline has expired, if a vendor informs us that a patch is scheduled for release within 14 days following the deadline, we will delay the public disclosure until the patch is available.
• When we observe a previously unknown and unpatched vulnerability (a “zero-day”) in software under active exploitation, we believe that more urgent action—within seven days—is appropriate. Each day an actively exploited vulnerability remains undisclosed and unpatched, more devices or accounts are at risk. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. After seven days have passed without a patch or advisory, we will support researchers making details available so that users can protect themselves.

Industry Standards

Common Vulnerabilities and Exposures (CVEs) are an industry standard for identifying vulnerabilities. To avoid confusion, the first public mention of a vulnerability should include a CVE. For vulnerabilities that extend beyond our deadline, we ensure that a CVE has been pre-assigned.

If a vendor is unresponsive, Pretera will send a notification to CERT/CC 15 days after the first attempt at contacting the vendor.

Adaptable Deadlines

We reserve the right to adjust deadlines based on extreme circumstances. Pretera is committed to treating all vendors equally. This policy aligns with our desire to improve industry response times to security bugs while allowing for more flexible timelines for bugs marginally over deadline.

Commitment to Security

Pretera's vulnerability disclosure policy is designed to create pressure towards timely fixes, reducing the window of opportunity for malicious actors to exploit vulnerabilities. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy as a reference if you find our record and reasoning compelling. Our goal is to enhance overall safety for users of the internet through responsible and coordinated vulnerability disclosure.