About

SiliconForest Advisory 한국어 버전

What is this

Collection of advisories for vulnerabilities discovered by SiliconForest members

Disclosure policy

Mostly similar to Google Project Zero vulnerability disclosure policy

Different disclosure policies may applied when

• Related party (e.g. KISA) requests different disclosure policy

90+30 policy

SiliconForest will follow a 90+30 disclosure deadline policy. The advisory will be publicly disclose after one of these conditions are meet.

• 90 days passed after the vendor reported the vulnerability, but the vendor failed to release fix for the vunlerability.
• After 30 days passed after the vendor release a fix.

Grace period

If the vendor unable to release fix within 90 days but will make patch within additional 30 days, SiliconForest may grant grace period to the vendor upon request. In this case, following disclosure rule will apply.

• 90 + (grace period granted) days passed after the vendor reported the vulnerability, but the vendor failed to release fix for the vunlerability.
• After 30 days passed after the vendor release a fix.

• About