Vulnerability Disclosure Policy
As a provider of security solutions, services, and research, eruditeMETA takes security issues very seriously. It is our policy to work and coordinate with other vendors with respect to discovered vulnerabilities, with the intention of keeping users and customers safe. This document will share our process for disclosure.
​
In addition to the below specification, eruditeMETA is committed to transparency and collaboration with both the private sector and government agencies. We are actively monitoring the guidance created and practices to be followed in securing the nation's cybersecurity and secure software supply chains. As those artifacts are created and/or published, this page will be updated to reflect those standards.
Outreach
eruditeMETA will reach out to the impacted vendor, vendors, or other, through the appropriate contact method to notify them of the existence of a discovered vulnerability with respect to their product or service offering. If a vendor did not publish a designated security contact on their website, we will attempt to contact relevant contacts and will email a general "security@" mailbox. When a secure method of communication is provided from the vendor(s) or other, erudteMETA will share its findings. To ensure contact is made, we will make multiple, documented attempts to contact the vendor(s) or other, either directly or through third parties.
​
If no response is received from the impacted vendor(s) or other within two weeks, eruditMETA may choose to release the findings publicly in order to notify and/or protect the greater public.
Response Time
eruditeMETA will do its best to work with the appropriate vendor(s) or group over a 90-day time period to address the vulnerability with a patch. We will provide additional information, as well as assistance, to ensure the security issues identified are verified and resolved. At the end of the 90-day period, or before, in a case where the issue is resolved, eruditeMETA may publish its findings in order to notify and/or protect the greater public.
With any security issue, we recognize that it may take longer than 90 days to address the security issues. In these circumstances, we will work with the vendor(s) or group on a case-by-case basis.
Other Parties
eruditeMETA reserves the right to discuss and disclose any discovered vulnerability with other parties or security vendors if we deem it is in the greater interest of providing a better overall response. Any such disclosure will be made responsibly, and the other party or security vendor must ensure proper action and disclosure should they take any action.
​
eruditeMETA will publish any security findings on its website and other locations, as deemed appropriate and responsible.
​
Anyone wishing to reach out to eruditeMETA regarding a security vulnerability may do so at security@eruditeMETA.net. Emails can be encrypted using our public key.