Policy

Coordinated disclosure policy

CipherCue operates a continuous external observation programme. When an observation indicates a catalogued security issue against an organisation's publicly-exposed software, we attempt to notify that organisation before exposing the observation on any CipherCue customer surface.

Scope

This policy covers observations CipherCue generates itself — principally KEV matches against observed fingerprints and suspected-incident patterns (e.g. emergency certificate rotation, unplanned DNS authority change). It does not cover public authority records (e.g. state AG breach notifications, SEC 8-K): those are already public.

Silent window

When a new pre-disclosure observation is recorded:

1. A DisclosureAttempt record is created.
2. CipherCue attempts to contact the target (see "Channels" below).
3. 48 hours after the attempt — regardless of whether a response was received — the observation is released to customer-facing surfaces.
4. If the target acknowledges and requests an extended window, we honour a single 14-day extension on written request.

Channels

In priority order:

1. security.txt contact (RFC 9116).
2. WHOIS abuse contact, where resolvable.
3. security@{domain} as a fallback.

Standards alignment

• CERT/CC coordinated disclosure norms.
• ISO/IEC 29147 — Vulnerability disclosure.
• FIRST.org disclosure practice guidelines.
• RFC 9116 — security.txt.

Contact for coordinated disclosure

security@ciphercue.com is the single address for coordinated disclosure matters, including requests for extension and notices of remediation.