Key Resources, Inc. is committed to resolving security vulnerabilities quickly and responsibly, and in a manner that serves the best interests of the community as a whole. In accordance with its commitment in this regard, KRI will:
Disclose any security vulnerabilities it identifies to any affected vendor(s) promptly and responsibly.
Dialogue with any affected vendor(s) regarding KRI’s publication plans, information supporting the vulnerability report, and publication schedules where appropriate.
Disclose any security vulnerabilities to the public 90 days after the initial report to the vendor, regardless of the existence or availability of patches or workarounds from affected vendors; however, extenuating or mitigating circumstances may result in earlier or later public disclosure.
Key Resources may report vulnerabilities that it identifies to a responsible third-party reporter. In such circumstances, the third-party reporter may undertake to provide notification and publication schedules to affected vendors with respect to the subject vulnerability. KRI will work with the third-party reporting entity to ensure that a responsible disclosure process is followed.
Key Resources believes that a responsible disclosure policy balances the right and necessity of the public to be informed of security vulnerabilities with vendors’ desire to respond effectively. Thus, ultimately, our reporting and publication decisions will be based on the best interests of the community overall.
KRI reserves all of its rights, remedies, and defenses, and waives none.