Frostfire Labs is committed to coordinated disclosure of the security vulnerabilities we identify. We follow an industry-standard timeline that gives vendors time to remediate while ensuring users and the broader security community receive actionable information.
DISCLOSURE TIMELINE
We notify the affected vendor as soon as we have confirmed a vulnerability and prepared a minimal proof-of-concept. The default disclosure deadline is 90 calendar days from the date of notification. If the vendor releases a fix before the deadline, we publish details 30 days after the fix is available. If no fix ships, we publish at the 90-day mark.
EXTENSION
If a vendor indicates a patch will be released within 30 days after the 90-day deadline, we will delay public disclosure until the patch becomes available. Extensions beyond that window are not granted.
ACTIVE EXPLOITATION
If we determine a vulnerability is under active exploitation, the disclosure timeline accelerates to 7 calendar days. We expect vendors to publish mitigation guidance within that window even if a complete fix is not yet available.
VENDOR NON-RESPONSE
If a vendor does not respond to our initial notification within 15 calendar days, we notify CERT/CC and continue our disclosure process on the standard timeline. The 90-day clock does not reset.
CVE ASSIGNMENT
The first public mention of a vulnerability we disclose will include a CVE identifier. We pre-assign CVEs for vulnerabilities that pass their disclosure deadline.
REPORTING A VULNERABILITY TO FROSTFIRE
If you have identified a vulnerability in a Frostfire Labs system, service, or publication:
Email: disclosure@frostfirelabs.io
PGP: /pgp-key
Subject prefix: [FFL-SEC]