Vulnerability Disclosure Policy
Trail of Bits is committed to the coordinated disclosure of vulnerabilities, which helps protect clients, vendors, and downstream users. As a security research company, we regularly develop analysis methods and tooling that discovers vulnerabilities in production systems. This policy describes how Trail of Bits handles the disclosure of these vulnerabilities.
Trail of Bits follows a 90+30 disclosure deadline policy similar to Project Zero, meaning a vendor has 90 days after Trail of Bits notifies them about a security vulnerability to make a patch available to users. If the vendor makes a patch available within 90 days, Trail of Bits will publicly disclose details of the vulnerability 30 days after the patch has been made available to users.
If a vendor is unable to make a patch available in 90 days, but will make a patch available within an additional 14 days, Trail of Bits may grant a grace period to the vendor upon request. In this case, Trail of Bits will publicly disclose details of the vulnerability 104 days after the vulnerability was initially disclosed to the vendor.
Trail of Bits and the affected vendor can mutually agree to release details of a vulnerability earlier than the date indicated by policy.
If the vendor is unable to patch an issue within the initial 90 days and has not attempted to communicate an alternative timeline, Trail of Bits will make the details of the vulnerability public at the end of the 90-day period.
We reserve the right to alter deadlines in exceptional situations, either advancing the release (e.g., if we find evidence that a vulnerability is being actively exploited against real users “in the wild”) or delaying the release (e.g., it is evident that an issue is sufficiently severe or the fix is sufficiently complex).
Trail of Bits is a transparent company that believes in sharing our ideas, knowledge, and tools publicly for the benefit of the security community. We believe that publishing the details of our disclosed vulnerabilities provides significant educational value to the community, and regularly publicize the details of our vulnerability disclosures. Examples of vulnerabilities we have previously disclosed can be viewed in the “Vulnerability Disclosure” category on our company blog and “Disclosures” in our publications repository.
If a bug affects multiple vendors, we reserve the right to work with an external coordinator for support, such as CERT/CC or US-CERT.
If you have a bug you’d like Trail of Bits to consider reviewing for validation and disclosure, you can submit it through our SendSafely Disclosure portal. If for some reason you need to send your bug report anonymously, consider using services like ProtonMail, Guerrillamail, or similarly recommended anonymous email services for validating your SendSafely disclosure.
Please Note: By submitting your bug to Trail of Bits, we make no guarantee that the bug will be reviewed, validated, or made public. If we determine a bug to be impactful after reviewing and validating the disclosure, we will at minimum disclose the bug to the vendor. If deemed appropriate based on the nature of the bug, Trail of Bits will follow the process outlined in our Vulnerability Disclosure Policy above to coordinate remediation and public disclosure of the bug with the vendor.
Has this bug already been disclosed to the vendor? [Yes and the approximate date] or No.
Software version or location: What software does this bug affect, and who develops it? If the bug is in a web application, where does the bug exist?
Impact: What can an attacker achieve with this bug?
Steps to reproduce the bug: Provide a detailed, step-by-step set of instructions for Trail of Bits to reproduce and validate the impact of this bug.
Can we contact you for additional clarification(s)? [Yes and best contact email], [No], or [N/A] for anonymous submissions