company background

Vulnerability Disclosure Policy

Bitsight reports all vulnerabilities it discovers directly to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which serves as a central authority capable of coordinating an effective response.

Vendor Notification

While CISA will be involved in all vulnerability outreach to affected vendors, Bitsight may, at its sole discretion, decide to also notify affected vendors directly who are also Bitsight customers at the same time Bitsight notifies CISA. However, if the number of vendors who are customers are too high, Bitsight will defer to CISA for all vendor notification. The threshold will be evaluated on a case-by-case basis. Customer outreach will be facilitated by our Customer Success or Product team, as appropriate.

Publication Policy

Following the initial vendor notification, Bitsight will provide the notified vendor up to 60 days to reply with a vulnerability response plan. After such a waiting period, in the case of a complete lack of response, Bitsight may publish the vulnerability details at a time of its choosing.

If, after Bitsight’s notification, the vendor responds, Bitsight shall provide the vendor with an additional 60 days from the date of its initial response to provide Bitsight with information related to the vulnerability and its associated response plan.  
Bitsight’s disclosure timeline may be subject to change at Bitsight’s discretion based on the following criteria:

  • The vendor requests for additional time to implement a patch. Requests should be accompanied by a clear remediation plan with specific milestones and deadlines. 
  • The vendor estimates that their customers need additional time to deploy a patch. Requests should be accompanied by a clear remediation plan with specific milestones and deadlines. 
  • Bitsight and the vendor agree on a specific disclosure date.
  • The vulnerability is particularly hard or impossible to patch (e.g. firmware, legacy systems, ICS/OT). In this case Bitsight may add up to an additional 60 days to the disclosure date. This condition may be identified by Bitsight or substantiated by the vendor. 
  • The vulnerability is directly disclosed by a third-party, or indirectly by active exploitation. In this case, Bitsight may choose to publish details about the vulnerability at any given time.

Notwithstanding the timelines and practices provided above, given CISA’s involvement in all vulnerability disclosures, Bitsight may consult with them for an appropriate coordinated disclosure date on a case-by-case basis, and may defer to their timeline if they recommend an accelerated schedule.

Bitsight reserves the right to deviate from this Vulnerability Disclosure Policy and modify it in its sole discretion.