This document outlines Penticians disclosure policy as it relates to vulnerabilities identified by Penticians staff in the course of company-sponsored research. Upon identification of a security vulnerability, Penticians will attempt to contact the appropriate product vendor by email and telephone. Fifteen days (15) days after notification to the product vendor, Penticians will report the vulnerability to the Carnegie Mellon Computer Emergency Response Team (CERT), whether or not the product vendor has responded to Penticians Based on CERT’s own disclosure policy, CERT will publish an advisory related to the vulnerability approximately forty-five (45) days (more or less depending on extenuating circumstances) to the general public. At this time, Penticians may provide our customers with product updates for the purpose of detecting and re-mediating this vulnerability.