Our Commitment

Aretiq AI is committed to improving the security of software and systems used by organizations and individuals worldwide. When we discover a vulnerability, we follow a coordinated disclosure process that balances the urgency of protecting users with giving vendors a fair opportunity to develop and release patches.

Disclosure Timeline

  • 90 days from the date we notify the vendor for standard vulnerabilities.
  • 120 days for complex issues that involve multiple vendors, multi-party coordination, or require extensive architectural changes.
  • If a vendor releases a patch before the deadline, we may publish our advisory shortly after the patch is made available to allow time for deployment.
  • If a vendor is unresponsive after multiple contact attempts over 30 days, the 90-day clock starts from our first documented outreach.

Extensions

We may grant a one-time extension of up to 14 days if:

  • The vendor is actively working on a fix and can demonstrate meaningful progress.
  • A patch is confirmed but requires additional time for quality assurance or coordinated rollout.

Extensions are not granted indefinitely. We believe firm deadlines protect end users and incentivize timely remediation.

What We Publish

After the disclosure deadline or patch release (whichever comes first), we publish an advisory that may include:

  • Vulnerability description and root cause analysis
  • Affected products and versions
  • CVSS severity assessment
  • Detection guidance
  • Proof-of-concept code (gated behind enterprise email verification to prevent abuse)

We do not publish weaponized exploits. Our proof-of-concept code is designed to demonstrate the vulnerability for defensive purposes only.

What We Expect From Vendors

  • Acknowledge receipt of our report within 5 business days.
  • Provide a CVE identifier or confirm one will be requested.
  • Communicate a remediation timeline.
  • Credit Aretiq AI in the security advisory.

Standards Alignment

This policy is informed by:

  • ISO/IEC 29147 (Vulnerability Disclosure)
  • ISO/IEC 30111 (Vulnerability Handling Processes)
  • CERT/CC Coordinated Vulnerability Disclosure guidelines