IU is committed to do our best to complete patching and remediation of vulnerabilities within 90 days, and to disclose the details of those vulnerabilities when patches are published and remediation is complete. In some cases, patching and remediation may take longer than 90 days. Unless your report is anonymous, we will communicate expected timelines and update you if the patching and remediation is going to exceed 90 days.
IU believes that public disclosure of vulnerabilities is an essential part of the vulnerability disclosure process and that one of the best ways to make software and systems better is to enable everyone to learn from each other's mistakes. At the same time, we believe that disclosure in the absence of a readily available patch and/or remediation of affected systems tends to increase risk rather than reduce it, and so we require that you refrain from sharing your report with others while we work on patching and remediation. If you believe others should be informed of your report before the patch is available and remediation is complete, let us know so we can make arrangements.
IU may want to coordinate an advisory with you to be published simultaneously with the patch and the completion of our remediation, but you are also welcome to self-disclose such an advisory. By default, we prefer to disclose everything through our established channels, but we will never publish information about you or our communications with you without your permission unless required by law. In cases that include sensitive information that must be redacted prior to disclosure, we require that you check with us before self-disclosing. Also, if the patch will not be available or remediation will not be complete within 90 days after you have reported your discovery, we may require that you delay your disclosure in part or completely until a patch is ready and remediation is complete. We will make all possible efforts to patch and complete remediation within 90 days, but in those situations where we cannot, we expect your cooperation in coordinating the disclosure of information on the discovered vulnerabilities.