Vulnerability Disclosure Policy

I. Purpose

BlueSphere Security Ltd ("BlueSphere") and its security team regularly conduct independent research into the security of widely used applications, systems, and services. This research is carried out to protect end users and improve the overall security posture of the digital ecosystem.

BlueSphere recognises that responsible disclosure must strike a balance between allowing vendors sufficient time to remediate vulnerabilities and ensuring that end users are not left exposed. This Vulnerability Disclosure Policy ("Policy") defines the process by which BlueSphere discloses security vulnerabilities to product and service vendors, and when applicable, to the general public.

II. Scope

This Policy applies to all security vulnerabilities discovered by BlueSphere during its independent research activities, including but not limited to:

• Vulnerabilities in third-party software, applications, or services
• Misconfigurations exposing sensitive data or systems
• Security flaws in hardware or firmware
• Exposed infrastructure or publicly accessible sensitive endpoints

III. Disclosure Process & Timelines

Upon identifying a security vulnerability, BlueSphere follows the structured disclosure process below:

• Day 0 — Initial Notification BlueSphere identifies appropriate contact channels (security@ address, official disclosure programme, or formal contact mechanism) and transmits vulnerability details securely to the vendor.
• Day 0–5 — Acknowledgement Window The vendor is expected to acknowledge receipt within 5 business days. If no response is received, BlueSphere initiates a second contact attempt through alternative channels.
• Day 20 — No-Response Threshold If all contact attempts are exhausted without any vendor response, BlueSphere reserves the right to publish a public advisory 20 business days after the initial notification attempt.
• Day 0–20 — Remediation Period Upon vendor acknowledgement, BlueSphere grants up to 20 calendar days for the vendor to develop and release a patch or effective mitigation.
• Day 20 — Public Disclosure At the end of the remediation period, BlueSphere publishes a public advisory — whether or not a patch has been released — including technical details and recommended mitigations to assist the defensive security community.

IV. Extensions & Exceptional Circumstances

BlueSphere acknowledges that some vulnerabilities may require more than 20 days to remediate due to complexity, dependency chains, or compatibility constraints. Extensions may be granted on a case-by-case basis.

In the interest of transparency, if any extension is granted, BlueSphere will publish the full communication history with the vendor at the time of eventual public disclosure. This allows the security community to understand the remediation challenges vendors face when addressing high-impact vulnerabilities.

V. Immediate Public Disclosure

In circumstances where BlueSphere determines that a vulnerability poses an immediate and significant risk to the safety of end users — including active exploitation in the wild, critical infrastructure exposure, or mass data leakage — BlueSphere reserves the right to notify the vendor and the general public simultaneously.

In all cases of immediate disclosure, BlueSphere will provide the vendor with a written explanation of the factors that led to this decision.

VI. Vendor Collaboration

BlueSphere is committed to working constructively with vendors throughout the disclosure process. This includes:

• Providing clear technical documentation of the vulnerability and its potential impact
• Assisting in understanding severity and exploitability
• Offering to validate patches or proposed mitigations prior to public disclosure
• Collaborating on coordinated public disclosure language where appropriate

If a vendor is unable or unwilling to patch a vulnerability, BlueSphere may offer to work with that vendor to publicly disclose the flaw alongside effective workarounds to protect end users.

VII. Contact