Disclosure Policy

Last updated: 2025-09-20

Digilol OÜ (hereafter "Digilol") is an Estonian company that provides penetration testing, software development, managed hosting and consulting services. Digilol develops and implements solutions for distributed systems and information security.

The privacy and security of Digilol’s customers and the users of any examined product are of utmost importance. Digilol refrains from disclosing vulnerabilities found during an engagement, research project, or through its software products if such a disclosure would result in any risk to organizations or individuals. In cases where critical security issues need to be made public for potential users to take protective measures, Digilol follows a responsible disclosure process. This ensures that client and partner confidentiality is respected while providing crucial security information to the community and public as soon as it is safe to do so.

Responsible Disclosure Process

Digilol adheres to a 90-day disclosure deadline by default, after which security vulnerabilities might be published. This 90-day deadline for disclosing begins after we notify the respective vendors of the products/systems about the respective vulnerabilities — such a notification happens immediately after a new vulnerability is identified. Once the 90-day deadline expires — or sooner if the vendor releases a fix — further details will be shared in public with the defensive community. However, that deadline can vary in the following ways:

Before the 90-day deadline has expired, if a vendor lets us know that a patch is scheduled for release on a specific day that will fall within 14 days following the deadline, we will delay the public disclosure until the availability of the patch.
When we observe a previously unknown and unpatched vulnerability in software under active exploitation (a "0day"), we believe that more urgent action — within 7 days — is appropriate. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more devices or accounts will be compromised. Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
We reserve the right to extend or cut deadlines in reasonable cases. Shifted deadlines are communicated to the vendor, with no exceptions.

Overall, it is important for us to clarify that the timeline of every disclosure of vulnerabilities will be aligned with vendors and/or customers in advance. In case there are reasonable justifications; to delay or advance disclosing certain details, we will always try our best to do so in alignment with the respective vendors and/or customers. The above-mentioned deadlines and default criteria for publishing security vulnerabilities aim to ensure, that we are able to provide security critical information in a timely manner even in situations, where affected vendors/partners/customers are not responsive and/or supportive in resolving the issue; through this we ensure that users and other affected individuals can take proper precautions for securing their data and infrastructure.

Please note, that while the timeline for disclosure of identified vulnerabilities might be subject to change and can be aligned in accordance with relevant circumstances, the decision about disclosure itself is solely up to Digilol.

Digilol does not take any liability for claims or damages which result from any disclosure done in accordance with this responsible disclosure policy. Furthermore, Digilol does not take responsibility for providing a full solution for any disclosed vulnerability; in case recommendations are provided alongside the disclosure of a new vulnerability, such recommendations are seen just as supplementary information which does not replace any kind of official recommendations or guidance provided directly by a vendor or supplier for the affected products.