Abstract

CUJO AI will follow the 90-day disclosure deadline, which starts after notifying vendors of a vulnerability, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

In case of a positive and active vendor’s response, the disclosure can be postponed once for an additional 30 days. The possibility to extend the timeline is a necessity of the IoT ecosystem, as most devices lack proper automated updates as well as support altogether.

CUJO AI will take all reasonable steps to confirm the identity of the subject vendors. In case we fail to identify the vendor, or it ignores the vulnerability report, we will share the findings with the community.

How CUJO AI Handles Security Vulnerabilities

Our vision at CUJO AI is to create a future where digital experiences are secure, private and personal. As a provider of products and services for many users across the Internet, we recognize how important it is to help protect user privacy and security. We understand that secure products are instrumental in maintaining the trust users place in us. We strive to create innovative products that both serve the user’s needs and operate in the user’s best interest.

CUJO AI’s Vulnerability Disclosure Policy

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why CUJO AI adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days or sooner if the vendor releases a fix. That deadline can vary in the following ways:

  • If a deadline is due to expire on a weekend or US public holiday, the deadline will be moved to the next normal workday.
  • Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 60 days following the deadline, we will delay the public disclosure until the patch is available.
  • When we observe a previously unknown and unpatched software vulnerability under active exploitation (a “0day”), we believe that more urgent action—within 30 days—is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Thirty days is an aggressive timeline in the IoT ecosystem and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access or contacting the vendor for more information. As a result, after 30 days have elapsed without a patch or advisory, we will support researchers in making details available so that users can take steps to protect themselves.

As always, we reserve the right to bring deadlines forward or backward based on extreme circumstances. We remain committed to treating all vendors strictly equally. CUJO AI expects to be held to the same standard.

Frequently Asked Questions

How does CUJO AI publicly disclose a vulnerability?

Initially, all of our bug reports are restricted so that only CUJO AI team members can see the technical content. When it’s time to disclose, we will create a public blog post. This means the technical description of the vulnerability will become publicly accessible via a technical blog post.If the disclosure happens because of a missed deadline, the “Deadline-Exceeded” label is used. If the 30-day grace extension was applied, the bug will have the “Deadline-Grace” label.

Why are disclosure deadlines necessary?

We are concerned that patches are taking a long time to be developed and released to users, and we feel that disclosure deadlines set up the right balance of incentives.