$ cat ~/disclosure-policy.txt

// RESEARCH

HOW I DISCLOSE

WHAT THIS IS

This is my personal policy as a security researcher. It describes how I handle vulnerabilities I discover in other people's products and services — how I report them, what I share, and when I publish. If you're looking for how to report a bug in my systems, that's the site security policy.

HOW I REPORT

When I find a vulnerability, I report it privately to the vendor first — via their published security contact, security.txt, bug bounty program, or a maintainer channel if nothing formal exists. Reports include a clear description, reproduction steps or proof of concept, an impact assessment, and a suggested fix where I have one. I don't condition reports on payment, and I don't publish details before the timeline below runs — whichever comes first: a fix ships, or the deadline passes.

DISCLOSURE TIMELINE

90 days, plus a 30-day grace period. I publicly disclose details 90 days after my initial report. If a patch is scheduled to ship shortly after the deadline, I'll extend by up to 30 days. Exceptions, in both directions:

If a fix ships and is broadly deployed earlier, I may publish earlier — coordinated with the vendor. If a vulnerability is being actively exploited in the wild, the window shrinks to 7 days: users deserve to know. If a vendor is unreachable or unresponsive after repeated good-faith attempts, disclosure proceeds at day 90 regardless.

COORDINATION

I'm happy to coordinate release timing, review advisories, request CVEs where appropriate, and hold details for a scheduled patch day within the window above. What I won't do: sign agreements that suppress disclosure indefinitely, accept payment in exchange for silence, or treat a bounty as a gag. Credit is appreciated but never required.

GOOD FAITH, ALWAYS

My research stays within the law and within reason: I access only the minimum data needed to demonstrate an issue, I don't persist in systems, degrade services, or touch other users' data, and anything incidentally accessed is deleted after the report. I follow each vendor's published safe-harbor terms where they exist, and I expect the same good faith in return.

LAST UPDATED: 2026-07-18 · CONTACT: aaron@aarondavidge.com

FOUND A SECURITY BUG ON THIS SITE? SEE THE RESPONSIBLE DISCLOSURE POLICY · bugs@aarondavidge.com