Zenity Coordinated Disclosure Policy
Objective
Zenity employees routinely discover new vulnerabilities as part of their work. The objective of this policy is to ensure operating in accordance with acceptable industry standards and practices, as well as provide transparency to vendors, colleagues, and the security research community.
Zenity is committed to the improvement of the security of AI and Low-Code/No-Code platforms and their customers. When vulnerabilities are found, they will be privately reported in a timely manner, in order to give the affected vendor time to establish the nature of the vulnerability, assess its significance and when needed - issue a fix and deploy it.
The Disclosure Policy
- Once a vulnerability has been identified and analyzed, Zenity will reach out to the affected vendor and inform them that a vulnerability has been found.
- Upon acknowledgement by the vendor, a confidential communication channel will be established, in order to provide the vendor with the technical details. The vendor is allowed to waive confidentiality and use regular channels, such as email.
- If PGP (or other public-key cryptography) is available, a single-channel, encrypted communication will be used.
- Otherwise, two separate channels will be used: One for the encrypted material and one for the key.
- Via the confidential channel, Zenity will provide the technical details of the vulnerability found. Those may include technical analysis, proof-of-concept code or data, recorded video, or any other form suitable for the available information.
- The disclosure will include the Zenity terms of disclosure:"This report is subject to a 90-day disclosure deadline. Zenity will be eligible to publish the information either 90 days after the report or once a fix is released, whichever comes first."
- The vendor will have 15 days to acknowledge receipt and respond. If 15 days have passed and an answer has not been received, Zenity will make one more attempt to receive acknowledgement. Nevertheless, the 90 count begins on the day of the initial report and not on the day of the acknowledgement.
- Zenity is open to discussing extending the 90-day period, should the vendor request such extension. The final decision will be at the discretion of Zenity.
Publishing
When the 90-day period has elapsed, or if the vendor has been unresponsive despite repeated communication attempts, then Zenity will be allowed to publish the findings.
- Zenity reserves the right to publish all the relevant information, or parts of it, depending on the nature of the vulnerability and its significance.
- Zenity will be happy to publish a follow-up or an update, once a fix has been released.
- Zenity is open to including a comment from the affected vendor upon publishing, including cases when the vendor chooses not to classify the findings as a vulnerability or a security risk.
- Zenity's policy is aiming to incentivize affected vendors to promptly respond and provide their users with timely patches and/or mitigation.
- Publishing the information may come in any number of ways, including but not limited to blog posts, media announcements, conference talks, and interviews.
Timeline summary
Initial Report
Attempt to securely communicate with the vendor.
15 Days
Second reach-out attempt, if required.
75 Days
Final reminder sent to the vendor, informing them of the tentative release date of the public disclosure.
90 Days
The public disclosure window begins. Zenity may publish at any time from this point forward.
Contact details
email: disclosure@zenity.io
PGP key