
Responsible Disclosure Policy
At Hayrok LLC, we are deeply committed to safeguarding security and privacy. We understand the vital role that transparency, collaboration, and proactive security practices play in protecting digital ecosystems. Our goal is to work with external stakeholders including clients, open-source contributors, and others to identify and strengthen weak points in the software they rely on.
This policy outlines Hayrok's process for responsibly disclosing security vulnerabilities identified by our engineers that:
-
Fall outside the scope of any specific contractual engagement,
-
Are not present in Hayrok-developed tools or platforms, and
-
Are unrelated to client-requested security testing or projects.
If a vulnerability is found during a commissioned engagement, Hayrok will not proceed with further action or public disclosure without the client’s prior written consent. Any formal disclosure process will be initiated only with the client's approval after the engagement ends.
Reporting and Coordination Process
When a new, previously unknown vulnerability is discovered, the Security Engineer who identifies it will escalate the finding to the Hayrok Technical Steering Committee (TSC). The committee will oversee the investigation, validate the vulnerability, assess its potential impact, and initiate coordinated disclosure with the affected vendor, provider, or open-source project.
Hayrok will attempt to contact the responsible party via email and propose a secure channel for communication using PGP encryption. If the vendor agrees and a secure exchange is established, the report will be sent in encrypted form.
If no reply is received within seven (7) days, the TSC will follow up by sending the vulnerability details in plain text via email to ensure the message is received.
This process aligns with industry-recognized practices, including those recommended by CERT/CC (Carnegie Mellon University’s Computer Emergency Response Team). See their official guidance for more: CERT Vulnerability Disclosure Guidelines.
Our disclosure framework seeks to strike a balance between informing the public and giving vendors a reasonable amount of time to resolve issues. Disclosure timelines may be adjusted on a case-by-case basis based on risk and cooperation level.