VAPTCoordinated vulnerability disclosure platformResearcher recognition, vendor coordination, and CVE support
LoginRequest CVE
Coordinated vulnerability disclosure policy

Disclosure policy.

Last revised on March 6, 2026. VAPT's goal is to be the go-to CNA partner for security companies running pentests and security assessments. When a firm finds a vulnerability across multiple versions, VAPT creates a formal case, assigns CVEs, and connects the disclosure back to the responsible researchers or teams. We also accept submissions from independent researchers. This policy describes how we coordinate disclosure so those findings can become public, verifiable, and professionally attributed.

Policy goals

VAPT follows a coordinated disclosure model.

Our vulnerability disclosure policy has two goals:

  • Ensure vendors are given a reasonable amount of time to address reported issues.
  • Provide the security community and affected users with honest, useful, and actionable vulnerability details.
Report a vulnerabilityView advisories
Researchers

Researchers use VAPT to submit well-documented reports, coordinate disclosure professionally, and receive durable public credit when a case is published.

Vendors

Vendors receive vulnerability details, coordinate remediation or advisory timing, and can communicate patch status or dispute points through email or the VAPT platform.

VAPT Case Team

VAPT case teams triage evidence, maintain the case record, coordinate communication, and decide when publication is justified under this policy.

Reporting route and intake standards

The Request CVE form is VAPT's public intake route for vulnerability disclosures. It exists to help researchers report issues responsibly, help vendors respond faster, and help VAPT case teams manage the case from intake to publication.

  • The Request CVE form is for vulnerability disclosure only. It is not a support, sales, or general product contact channel.
  • Reports should identify the affected vendor, product, versions, impact, and enough technical evidence for reproducibility review.
  • Researchers should report in good faith and keep unpublished technical details private while coordination is active.
  • VAPT may decline, defer, or redirect submissions that are incomplete, duplicative, or better handled through a more appropriate security reporting route.

Coordinated disclosure process

We believe we can achieve our policy goals by practicing coordinated disclosure. Our implementation of that process follows:

  • VAPT will contact the affected vendor with vulnerability details and provide a 120 day deadline to fix the issues or publish an advisory.
  • VAPT may provide customers with vulnerability details so they can take defensive measures while an official patch is being developed.
  • VAPT will remain in regular contact with the vendor to coordinate a date to publish coordinated advisories.
  • On the same day the vendor publishes a patch or an advisory, VAPT will publish a third-party vulnerability advisory.
  • If the 120 day deadline passes without a vendor patch or advisory, VAPT will publish an uncoordinated third-party vulnerability advisory.

Caveats and exceptions

There are some important operating caveats to this process. These rules exist to keep the workflow predictable, professional, and defensible for all sides.

  • No deadline extensions will be given.
  • VAPT will treat any published patch as a public disclosure.
  • Communication will occur exclusively over email or the VAPT platform.
  • VAPT will not participate in vulnerability disclosure programs that prohibit public disclosure or in any way attempt to control VAPT's work.
  • If a vendor states that they do not intend to remediate or issue an advisory for a reported vulnerability, the coordinated disclosure timeline may no longer apply.
!
Major caveat: active exploitation changes the deadline.

If VAPT determines the vulnerability is being exploited in the wild, the deadline changes from 120 days to 7 days. The goal is to take away the attacker's advantage and ensure defenders are made aware of the situation.

*
Editorial independence

VAPT reserves the right to deviate from, or change, the outlined process as needed. Publication decisions remain VAPT's responsibility.

How VAPT fits into the workflow

VAPT is not just a CVE request mailbox. The platform exists to help researchers receive recognition, help vendors remediate faster, and give the public a clearer advisory record when disclosure is justified.

  • Researchers receive a structured reporting route, persistent case tracking, and public credit when a disclosure is published.
  • Vendors receive a clear coordination path, a documented timeline, and a consistent publication counterpart.
  • Operators maintain the case record, validate evidence, manage communication, and decide when advisories should go live.
  • CVE assignment may be part of this process when the case qualifies, but it is a supporting function inside the broader disclosure workflow.