{{Header}}
{{title|title=
{{project_name_short}} Vulnerability Disclosure Policy
}}
{{#seo:
|description=todo
}}
{{intro|
todo

Version: 1.0
}}
{{draft}}

* <u>90+30 policy:</u> {{project_name_short}} follows a 90+30 disclosure deadline policy. This means a vendor has 90 days after {{project_name_short}} notifies them about a security vulnerability to make a patch available to users. If a patch is made available within 90 days, {{project_name_short}} will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.
** <u>Example, patch available on day 47:</u> Details are made public on day 77.
** <u>Example, patch available on day 83:</u> Details are made public on day 113.
** <u>Example, no patch within 90 days:</u> Details are made public at the end of the 90 day period.
* <u>Grace period:</u> If a vendor is unable to make a patch available in 90 days, but will make a patch available within an additional 14 days (that is, within 104 days since the vulnerability was disclosed to the vendor), {{project_name_short}} may grant a grace period upon request. In that case, {{project_name_short}} will publicly disclose details of the vulnerability 120 days after the vulnerability was initially disclosed to the vendor.
* <u>In-the-wild vulnerabilities:</u> As described in Google’s application security vulnerability disclosure policy, if {{project_name_short}} finds evidence that a vulnerability is being actively exploited against real users "in the wild", a 7-day disclosure policy replaces the 90-day policy. However, the 30-day window still applies, meaning that {{project_name_short}} will publicly release details of the vulnerability 30 days after a patch is made available to users, as long as a patch was made available by the end of the 7-day deadline.
** <u>In-the-wild grace period:</u> The grace period for in-the-wild vulnerabilities is 3 days. Similar to the 90-day policy, public details for patches made available during the grace period will still be released 30 days after the original deadline (that is, day 37), regardless of which day the patch is released.
* <u>Mutually-agreed early disclosure:</u> In any of the above cases, {{project_name_short}} and the relevant vendor can mutually agree to release details of a vulnerability earlier than the date indicated by policy.
* <u>Project Zero's FAQ:</u> Not part of the {{project_name_short}} Vulnerability Disclosure Policy. May be useful for a general rationale why the {{project_name_short}} Vulnerability Disclosure Policy might make sense. Non-binding: [https://projectzero.google/vulnerability-disclosure-faq.html Project Zero (not {{project_name_short}}!) Vulnerability Disclosure policy FAQ]
* <u>Reported vulnerabilities:</u> What kind of security vulnerabilities did {{project_name_short}} report? See [[Dev/research#Security_Vulnerability_Bug_Reports|Security Vulnerability Bug Reports]].
* <u>What is Project Zero:</u> A dedicated security vulnerability research project. See also [https://projectzero.google/about-pz.html About Project Zero].
* <u>What is {{project_name_short}}:</u> A security-hardened operating system. See also [[About]]. TODO: expand.
** <u>Scope:</u> {{project_name_short}} is primarily a Linux distribution (a compilation of many upstream components, {{project_name_short}} software, and integration "glue") focused on proactive security defenses. It is not primarily a project that searches for security vulnerabilities in third-party (upstream) software. {{project_name_short}} does not intent to become Project Zero. Due to our [[Ðev/research|security hardening research]] we sometimes find security vulnerabilities in upstream software.

= Upstream Project Communication Templates =

{{quotation
|quote=This bug is subject to a 90 day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline.
}}

= Credits =

Based on [https://projectzero.google/vulnerability-disclosure-policy.html Project Zero vulnerability disclosure policy].

{{Footer}}
[[Category:Development]]