Responsible Disclosure Policy

Actyra is committed to working with the security community and software vendors to improve the security of software used by millions of people. If our research identifies a vulnerability in your product, we want to work with you to resolve it responsibly.

For Vendors: What to Expect

When we discover a security vulnerability during our binary analysis, we follow a structured disclosure process designed to give you time to remediate before public disclosure.

  1. Initial notification — We send a detailed vulnerability report to your security team via your published security contact (security@, bug bounty program, or PSIRT). The report includes: vulnerability description, affected component, reproduction steps, CVSS score, and suggested remediation.
  2. Acknowledgment window (7 days) — We expect an acknowledgment of receipt within 7 calendar days. If we receive no response, we will make two additional contact attempts via alternative channels (e.g., CTO email, support ticket, social media DM).
  3. Remediation window (90 days) — From the date of initial notification, you have 90 calendar days to develop and deploy a fix before we publish the finding.
  4. Progress updates — We appreciate periodic updates on remediation progress. If you are actively working on a fix and can demonstrate progress (patch in testing, release date committed), we may extend the timeline.
  5. Publication — After the 90-day window (or upon patch release, whichever comes first), we publish a security advisory with details sufficient to inform affected users.

Timeline Modifications

Expedited Disclosure (less than 90 days)

We may shorten the disclosure timeline if: the vulnerability is being actively exploited in the wild; the vendor is unresponsive after three contact attempts over 21 days; or the vulnerability poses an imminent risk to user safety that outweighs the benefit of delayed disclosure.

Extended Disclosure (more than 90 days)

We may extend the timeline if: the vendor is demonstrably working on a fix and provides a committed release date; the fix requires a coordinated multi-vendor response; or exceptional circumstances (e.g., holiday code freeze, dependency on upstream fix) warrant additional time. Extensions are granted in 30-day increments, up to a maximum of 180 days total.

Scope

This policy applies to security vulnerabilities discovered during our binary analysis research. The following types of findings are in scope:

  • Remote code execution vulnerabilities
  • Hardcoded credentials and API secrets
  • Cryptographic weaknesses (weak algorithms, hardcoded keys/salts/IVs)
  • Certificate validation bypasses
  • Deserialization vulnerabilities
  • XML external entity (XXE) injection
  • Privilege escalation via DLL hijacking or insecure file permissions
  • Authentication and authorization bypasses

The following types of findings are not subject to this disclosure policy (they are published as transparency research):

  • Undisclosed data collection practices (privacy/transparency findings)
  • Policy discrepancies (what the vendor says vs. what the code does)
  • GDPR/CCPA compliance observations
  • Pre-consent telemetry documentation

Our Commitments

  • We will not exploit vulnerabilities beyond what is necessary to confirm their existence
  • We will not access, modify, or exfiltrate user data
  • We will not perform denial-of-service testing
  • We will not publicly disclose vulnerability details before the remediation window expires
  • We will provide clear, actionable remediation guidance with every report
  • We will credit your security team in our published advisory if a patch is released
  • We will update our published advisory to note when a fix is available

Safe Harbor

We consider security research conducted under this policy to be:

  • Authorized under the Computer Fraud and Abuse Act (CFAA) and equivalent international laws
  • Exempt from DMCA restrictions under § 1201(f) and § 1201(j)
  • Conducted in good faith and in accordance with this policy
  • Lawful, helpful to the vendor, and conducted in the public interest

We ask that vendors reciprocate by not pursuing legal action against researchers who discover vulnerabilities in good faith and report them in accordance with this policy. We strongly encourage vendors to adopt a formal vulnerability disclosure policy and safe harbor commitment of their own.

CVE Assignment

For vulnerabilities that meet the criteria for formal classification:

  1. We submit CVE requests to MITRE after the vendor has been notified
  2. CVE IDs are included in our published security advisories
  3. Findings are tagged with relevant CWE identifiers
  4. We coordinate with the vendor on CVE timing when possible

If you are a CNA (CVE Numbering Authority) and prefer to assign your own CVE ID, please let us know during the remediation window and we will defer to your assignment.

Communication Channels

We prefer to communicate via encrypted email when possible. All communications related to vulnerability disclosure are treated as confidential until the agreed publication date.

Contact Information

For Security Researchers

If you have discovered a vulnerability in the Actyra Open platform itself, please report it to security@actyra.com. We commit to:

  • Acknowledging receipt within 48 hours
  • Providing a severity assessment within 7 days
  • Keeping you informed of remediation progress
  • Crediting you in our security advisory (unless you prefer anonymity)
  • Not pursuing legal action against good-faith security research

References

This policy is informed by industry best practices: