Vulnerability Disclosure Policy

Vulnerabilities Discovered by Bynario Research Lab in Open Source Software

Scope

Bynario Research Lab performs vulnerability research on selected open source software, with priority given to projects that are widely used or commonly present in customer environments.

This section describes how Bynario handles vulnerabilities discovered by its own research in third-party open source software. Vulnerabilities affecting Bynario products or services are handled separately.

Coordinated Disclosure

When Bynario Research Lab identifies a previously undisclosed vulnerability, Bynario makes a good-faith effort to report it privately to the affected maintainer, project security team, or vendor through a coordinated vulnerability disclosure process.

Bynario provides the affected party with the technical information needed to assess, reproduce, and remediate the vulnerability. Until public disclosure, Bynario treats vulnerability details as confidential and limits access to the parties involved in the coordination process.

Customer Defensive Information

After making a good-faith effort to notify the affected maintainer or vendor, Bynario may provide customers with mitigation advice when Bynario has reason to believe that an undisclosed vulnerability is relevant to their environment.

Any such communication is intended solely to help reduce risk before public disclosure or official remediation is available. Bynario does not provide exploit details, proof-of-concept material, or technical information sufficient to reproduce the vulnerability. Customer guidance is limited to the nature of the risk, the relevant affected context, and practical mitigations that may reduce exposure until a public advisory or official patch is released.

Providing limited defensive information to a customer does not change the coordinated disclosure process or create an approval requirement for public disclosure.

Remediation and CVE Assignment

Bynario works with the affected maintainer or vendor from the initial report through remediation, advisory preparation, CVE publication where applicable, and patch release.
Bynario does not currently act as a CVE Numbering Authority. When a CVE is appropriate, assignment is handled by the affected project, maintainer, vendor, or an authorized CVE Numbering Authority.

Disclosure Timing and Coordination

Disclosure timing is coordinated with the affected party and may depend on severity, exploitability, remediation progress, patch availability, and maintainer responsiveness.

Bynario may seek assistance from a recognized vulnerability coordinator if the affected maintainer or vendor does not provide a substantive response within a reasonable timeframe after good-faith effort, declines to engage, or coordination cannot otherwise proceed. Bynario may also do so when a vulnerability affects multiple parties.

When disclosure is coordinated, Bynario may publish or contribute to a public advisory. If coordination remains unsuccessful despite reasonable efforts, Bynario may issue a public advisory with its findings.

An advisory may include the affected software and versions, a high-level impact summary, available patches or mitigations, a CVE identifier if assigned, acknowledgments, and a summary of key disclosure timeline events.

Vulnerabilities Affecting Bynario Products and Services

Reporting

Bynario accepts good-faith vulnerability reports affecting Bynario products, services, and systems.
Reports should be submitted through the designated security contact or reporting channel published on the Bynario website.

Reports should include enough information to help Bynario understand and reproduce the issue, such as the affected component, a description of the behavior, potential impact, and reproduction steps where available.

Review and Remediation

Bynario reviews reported vulnerabilities, assesses their validity and impact, and works to remediate confirmed issues according to their severity and risk. Bynario may request additional information from the reporter when needed to complete its analysis.

Coordinated Disclosure

Bynario coordinates disclosure of confirmed vulnerabilities with the reporter when appropriate. Public disclosure timing may depend on severity, remediation progress, patch availability, customer impact, and the risk of exploitation.

Bynario may publish a security advisory or otherwise notify affected customers when a confirmed vulnerability in Bynario products or services requires customer action, may materially affect customer risk, or must be communicated under applicable legal, regulatory, or contractual obligations.