At AttackIUM, we are committed to responsible vulnerability disclosure. Our goal is to protect users and organizations by ensuring that security issues are remediated in a timely manner before details are publicly released.

Our Disclosure Process

1. Identification & Initial Contact

When AttackIUM discovers a vulnerability, we promptly notify the affected vendor or project maintainers through their designated security contact channels (e.g., security@ email, bug bounty portal, or coordinated disclosure platform).

Our reports include: detailed technical descriptions, proof-of-concept (PoC) code, potential impact assessment, and suggested remediation steps.

2. Remediation Period (90 Days)

We provide a 90-day window for vendors to develop and release patches. This timeframe allows for proper testing and deployment while balancing security urgency.

Extensions may be granted for complex fixes or when vendors demonstrate active progress toward resolution.

We may accelerate disclosure if a fix is released earlier than expected, especially for critical vulnerabilities.

3. Public Disclosure (After 90 Days)

If no patch is available after 90 days, we will publicly disclose the vulnerability details to help users protect themselves.

We may delay disclosure if a vendor provides a credible timeline for a fix and demonstrates active development progress.

In cases where exploitation is detected in the wild before the 90-day period expires, we reserve the right to accelerate disclosure to protect end-users.

Our Principles

We follow industry-standard responsible disclosure practices:

• • Act in good faith and with professional courtesy
• • Provide clear, actionable vulnerability reports
• • Respect vendor timelines and communication preferences
• • Prioritize user safety and security
• • Maintain transparency in our disclosure process

We believe that a 90-day disclosure window represents a balanced approach:

• • Gives vendors adequate time to develop and test fixes
• • Protects users by ensuring timely remediation
• • Encourages responsible security practices
• • Maintains trust between researchers and vendors

Legal Considerations

AttackIUM does not publicly disclose vulnerabilities before the agreed disclosure date unless:

• • The vulnerability is being actively exploited in the wild
• • The vendor fails to respond to initial contact attempts
• • The vendor explicitly requests earlier disclosure
• • Legal or regulatory requirements necessitate immediate disclosure

We comply with all applicable laws and regulations, including but not limited to the Computer Fraud and Abuse Act (CFAA) and international cybersecurity laws. We do not engage in unauthorized access or data exfiltration during our research.

Contact: contact@attackium.com

Last updated: 9/12/2025