Vulnerability Disclosure Policy

Last Updated: August 2, 2025

In alignment with the beliefs, spirit, and impact of Google Project Zero, Micro Evaluation Group has adopted the same Vulnerability Disclosure Policy.

We believe that vulnerability disclosure is a two-way street. Vendors, as well as researchers, must act responsibly. This is why Micro Evaluation Group adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix. That deadline can vary in the following ways:

As always, we reserve the right to bring deadlines forwards or backwards based on extreme circumstances. We remain committed to treating all vendors strictly equally. Micro Evaluation Group expects to be held to the same standard.

This policy is strongly in line with our desire to improve industry response times to security bugs, but also results in softer landings for bugs marginally over deadline. We call on all researchers to adopt disclosure deadlines in some form, and feel free to use our policy verbatim if you find our record and reasoning compelling. Creating pressure towards more reasonably-timed fixes will result in smaller windows of opportunity for blackhats to abuse vulnerabilities. In our opinion, vulnerability disclosure policies such as ours result in greater overall safety for users of the Internet.