This document outlines VISTA InfoSec’s disclosure policy as it relates to vulnerabilities identified by VISTA InfoSec staff in the course of company-sponsored research. Upon identification of a security vulnerability, VISTA InfoSec will attempt to contact the appropriate product vendor by email and telephone. Fifteen days (15) days after notification to the product vendor, VISTA InfoSec will report the vulnerability to the Carnegie Mellon Computer Emergency Response Team (CERT), whether or not the product vendor has responded to VISTA InfoSec. Based on CERT’s own disclosure policy, CERT will publish an advisory related to the vulnerability approximately forty-five (45) days (more or less depending on extenuating circumstances) to the general public. At this time, VISTA InfoSec may provide our customers with product updates for the purpose of detecting and re-mediating this vulnerability.