Vulnerability Research & Disclosure Policy
Purpose
Delphos Labs conducts security research to identify vulnerabilities in software ecosystems, including compiled applications, open-source projects, and enterprise systems. When we discover security issues, we follow a coordinated disclosure process designed to allow vendors time to address vulnerabilities before public disclosure.
This policy describes how Delphos Labs handles vulnerabilities discovered by our research team in third-party software. It is separate from our Vulnerability Disclosure & Bug Bounty Program, which covers how external researchers report vulnerabilities to us.
Coordinated Disclosure Timeline
Delphos Labs generally follows a 90-day coordinated disclosure timeline, consistent with industry practice.
| Phase | Typical Timeline |
|---|---|
| Vendor notification | Day 0 |
| Vendor acknowledgment expected | Within 7 days |
| Courtesy reminder to vendor | Day 45 |
| Final notice to vendor | Day 60; notification that public disclosure will proceed at Day 90 if unresolved. |
| Fix development window | Up to 90 days |
| Public disclosure | After patch release or 90 days, whichever comes first. |
If a vendor is actively working on a fix and requests additional time, Delphos Labs may grant a reasonable extension at our discretion.
Vendor Contact Process
When Delphos Labs discovers a vulnerability, we will attempt to contact the affected vendor through their published security contact channels (e.g. security.txt, published disclosure policies, or security@ email addresses).
If your organization has received a vulnerability report from Delphos Labs and needs to coordinate with our research team, please contact us at:
- Email: vuln-disclosure@delphoslabs.com
- GPG Key: https://delphoslabs.com/gpg-key.txt
- GPG Key ID:
73B704F2FCCEC1CE3EE00D8D21AC604696560364
We support GPG-encrypted communication and secure file transfer for sensitive vulnerability details.
What to Expect When You Receive a Report
When your organization receives a vulnerability report from Delphos Labs:
- Acknowledge receipt — We ask that you confirm receipt within 7 days so we know the report reached the right team.
- Assign a contact — Provide a point of contact for ongoing coordination.
- Share your timeline — Let us know your expected timeline for developing and releasing a fix.
- Coordinate on disclosure — We will work with you on the timing and content of any public disclosure.
CVE Assignment
Delphos Labs may request CVE identifiers through a CVE Numbering Authority (CNA) when vulnerabilities meet the criteria for public tracking. We include CVE identifiers in all public disclosures where applicable.
If a vendor prefers to request a CVE through their own CNA or directly through MITRE, we are happy to coordinate.
Disclosure Conditions
Delphos Labs may publicly disclose vulnerability details when any of the following conditions are met:
- A patch has been released by the vendor
- The vendor has declined to address the vulnerability
- The 90-day disclosure window has passed without a fix
- The vendor is unresponsive after repeated contact attempts
Early Disclosure Exceptions
Delphos Labs may accelerate the disclosure timeline if:
- The vulnerability is being actively exploited in the wild
- There is evidence of widespread compromise
- Public safety is at immediate risk
- A third party has independently disclosed the same vulnerability
In such cases, we will make reasonable efforts to notify the vendor before publishing.
Vulnerability Naming
Delphos Labs assigns internal tracking identifiers to vulnerabilities discovered by our research team prior to CVE assignment. These identifiers follow the format DL-YYYY-NNNN and are referenced in all internal and external communications about the vulnerability.
Research Publication
After coordinated disclosure, Delphos Labs may publish technical research describing vulnerabilities discovered by our team. Published research may include:
- Technical description of the vulnerability
- Impact analysis
- Proof-of-concept details (after a patch is available)
- Remediation guidance
All publications will credit the Delphos Labs researchers involved in the discovery.
Credit
Vendors are encouraged to credit Delphos Labs researchers when publishing security advisories related to vulnerabilities we have reported. We are happy to coordinate on advisory language and researcher attribution.
Questions
Questions regarding this policy may be sent to vuln-disclosure@delphoslabs.com. We welcome feedback and suggestions for improving our disclosure process.
If you are a security researcher looking to report a vulnerability in Delphos Labs products, please see our Vulnerability Disclosure & Bug Bounty Program.