Responsible Disclosure

Our Approach

When ODINT discovers vulnerabilities in government digital infrastructure, we balance the public interest in transparency with the responsibility to minimize harm. Our disclosure policy is designed to give affected parties reasonable time to address issues while ensuring that important findings eventually reach the public.

Guiding Principle

We believe that public disclosure of security issues ultimately improves security for everyone. However, we also recognize that immediate disclosure of critical vulnerabilities can cause harm. Our policy aims to balance these considerations.

Disclosure Categories

Critical Vulnerabilities

Issues that could result in immediate harm to individuals (e.g., exposed personal data, systems enabling surveillance of vulnerable populations). We notify affected parties immediately and provide 30-90 days for remediation before public disclosure.

High Severity Issues

Significant security weaknesses that could be exploited (e.g., authentication bypasses, unprotected administrative interfaces). We provide 60 days notice before publication.

General Findings

Exposed infrastructure that represents poor security practice but poses limited immediate risk (e.g., outdated software versions, misconfigured services). We may publish without prior notice, though we often notify affected parties as a courtesy.

Standard Disclosure Timeline

Typical Process

Day 0 Vulnerability discovered and documented

Day 1-7 Initial notification sent to affected party via secure channels

Day 14 Follow-up if no response received

Day 30-90 Disclosure window depending on severity

Post-deadline Public disclosure with or without remediation

Notification Methods

We attempt to contact affected parties through:

Official security contact addresses (security@, abuse@)
Published security.txt files
National CERT/CSIRT organizations
Direct contact with relevant government departments
Diplomatic channels for international findings

Factors Affecting Timeline

We may extend or shorten our disclosure timeline based on:

Severity of harm: More severe issues receive longer remediation windows
Active exploitation: Already-exploited vulnerabilities may be disclosed immediately
Responsiveness: Organizations actively working on fixes may receive extensions
Public interest: Issues affecting democratic processes may warrant faster disclosure
Coordination: When working with partners, we align on coordinated disclosure

What We Publish

Our disclosures typically include:

Description of the vulnerability and affected systems
Potential impact and risk assessment
Timeline of our disclosure attempts
Current status (remediated or not)
Recommendations for affected parties

We do not publish working exploit code or detailed technical information that would primarily benefit attackers.

Exceptions

We may deviate from this policy when:

A vulnerability is already being actively exploited in the wild
The affected party refuses to engage or threatens legal action
Public safety requires immediate disclosure
A coordinated disclosure date has been agreed with partners