PUBLIC DISCLOSURE STATEMENT FOR VENDORS

This page explains how UT researchers will deal with vulnerabilities found in third party systems during their research as part of our outbound Coordinated Vulnerability Disclosure Policy for Research.

Information for researchers and students about the policy can be found on the Service Portal 

Summary

We immediately contact the appropriate responsible party/vendor and inform them of the security vulnerabilities we found. We expect the affected party to respond within 21 days and let us know how the flaws will be mitigated to protect users. We are willing to work together with the vendor to find ways to mitigate the issue. If we don't hear back within 21 days after reporting, we will explain our publication timeline and give them another opportunity to get in touch to discuss this timeline.

If no reasonable fix or update is available after 90 days from the reporting date, we consider disclosing the vulnerabilities publicly. Nonetheless, we are willing to negotiate the publication date in cases where 90 days are not sufficient to release proper patches.

Reporting

Mitigation & Timeline

Disclosure

Additional Considerations