Zenity Coordinated Disclosure Policy

Zenity employees routinely discover new vulnerabilities as part of their work. The objective of this policy is to protect end users. To achieve this, Zenity operates in accordance with acceptable industry standards and practices, as well as provides transparency to vendors, colleagues, and the security research community.

Zenity is committed to improving the security of AI systems and their users. When vulnerabilities are found, they will be privately reported in a timely manner to give the affected vendor time to establish the nature of the vulnerability, assess its significance and when needed - issue a fix and deploy it.

This Policy aims to incentivize affected vendors to promptly respond and provide their users with timely patches and/or mitigation.

Disclosure Process

Notify the vendor: Zenity will make a good faith effort to contact the vendor as soon as possible after discovering the vulnerability. The first attempt at contact will be through any appropriate formal mechanisms listed on the vendor website or by emailing the vendor's security contact or designated point of contact. Zenity will not follow any mechanism listed on the vendor website that requires Zenity to execute a non-disclosure agreement or be bound to confidentiality obligations. The notice will describe the vulnerability and provide sufficient detail to allow the vendor to reproduce and verify the issue (“Initial Report”). Zenity will also provide a timeline for publishing the findings and request confirmation of receipt.

If the vendor fails to acknowledge receipt of Zenity’s notice within fifteen (15) calendar days from the Initial Report, Zenity will make a second attempt to contact a representative for that vendor.

If a vendor response is received within thirty (30) days from the Initial Report, a confidential communication channel will be established, in order to provide the vendor with the technical details.Via the confidential channel, Zenity will provide the technical details of the vulnerability found. These may include technical analysis, proof-of-concept code or data, recorded video, or any other form suitable for the available information.

• The vendor is allowed to waive confidentiality and use regular channels, such as email.
• If PGP (or other public-key cryptography) is available, a single-channel, encrypted communication will be used.
• Otherwise, two separate channels will be used: One for the encrypted material and one for the key.

Allow the vendor 90 days to respond: Zenity believes that vendors should have sufficient time to investigate and address the vulnerability. Therefore, Zenity will allow the vendor 90 days following the Initial Report to respond to Zenity and address the vulnerability with a security patch or other corrective measure as appropriate. Zenity reserves the right to publish the information regarding the vulnerability 90 days after the Initial Report or upon the release of a fix, whichever comes first. At the end of the 90-day period, if a vendor is not responsive or unable to provide a reasonable statement (at Zenity’s discretion) as to why the vulnerability is not fixed, Zenity may publish its findings.

Zenity is open to discussing a vendor’s request to extend the 90-day period. Any extension will be granted at Zenity’s discretion.

If the vendor fails to respond or does not address the vulnerability within the agreed timeline, Zenity will make a public disclosure of the vulnerability. Zenity will also include a summary of its efforts to contact the vendor and the timeline of its disclosure process. If Zenity believes it is in the best interest of users or that the vendor/target of Zenity’s report is not acting in good faith, Zenity reserves the right to deviate from this 90-day policy and disclose in a manner that Zenity deems appropriate.

Public Disclosure

Zenity reserves the right to publish all relevant information, or parts of it, depending on the nature of the vulnerability and its significance in accordance with the terms of this Policy. Publishing the information may take various forms, including but not limited to blog posts, media announcements, conference talks, and interviews.

Zenity will be happy to publish a follow-up or an update, once a fix has been released. Zenity is open to including a comment from the affected vendor upon publishing, including cases where the vendor chooses not to classify the findings as a vulnerability or a security risk.

Contact Zenity

If you have any questions or require information about Zenity’s Coordinated Policy, please email disclosure@zenity.io.

PGP key