oss-fuzz/docs/getting-started/bug_disclosure_guidelines.md

1016 B

layout title parent nav_order permalink
default Bug disclosure guidelines Getting started 4 /getting-started/bug-disclosure-guidelines/

Bug Disclosure Guidelines

Following Google's standard disclosure policy, OSS-Fuzz will adhere to following disclosure principles:

  • Deadline. After notifying project authors, we will open reported issues to the public in 90 days, or 30 days after the fix is released (whichever comes earlier).
  • Weekends and holidays. If a deadline is due to expire on a weekend, the deadline will be moved to the next normal work day.
  • Grace period. We have a 14-day grace period. If a 90-day deadline expires but the upstream engineers let us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.