2019-08-07 14:37:16 +00:00
|
|
|
---
|
|
|
|
|
layout: default
|
|
|
|
|
title: Bug disclosure guidelines
|
|
|
|
|
parent: Getting started
|
|
|
|
|
nav_order: 4
|
|
|
|
|
permalink: /getting-started/bug-disclosure-guidelines/
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
## Bug Disclosure Guidelines
|
|
|
|
|
|
|
|
|
|
Following [Google's standard disclosure policy](https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html),
|
|
|
|
|
OSS-Fuzz will adhere to following disclosure principles:
|
|
|
|
|
|
|
|
|
|
- **Deadline**. After notifying project authors, we will open reported
|
2021-03-11 22:34:56 +00:00
|
|
|
issues to the public in 90 days, or after the fix is released (whichever
|
|
|
|
|
comes earlier).
|
2019-08-07 14:37:16 +00:00
|
|
|
- **Weekends and holidays**. If a deadline is due to expire on a weekend,
|
|
|
|
|
the deadline will be moved to the next normal work day.
|
|
|
|
|
- **Grace period**. We have a 14-day grace period. If a 90-day deadline
|
|
|
|
|
expires but the upstream engineers let us know before the deadline that a
|
|
|
|
|
patch is scheduled for release on a specific day within 14 days following
|
|
|
|
|
the deadline, the public disclosure will be delayed until the availability
|
2021-03-11 22:34:56 +00:00
|
|
|
of the patch.
|
