Cyera vulnerability disclosure policy

Cyera conducts security research as part of our commitment to improving the safety of the technology ecosystem. When we identify a vulnerability in a third-party product, service, or open-source project, we follow the coordinated disclosure process described in this policy.

This policy covers vulnerabilities Cyera identifies in third-party offerings. It does not apply to vulnerabilities reported to Cyera about our own products, which are handled under a separate process.

Standard Timeline: 90 Days

When we identify a vulnerability, we notify the affected vendor and give them 90 calendar days from the date of initial notice to make a patch or mitigation available to users.

If a patch is released within that window, we wait an additional 30 days after the patch becomes publicly available before publishing our findings. This buffer gives users time to apply the fix before technical details are public.

If no patch is available after 90 days, we may publish at that point without further notice.

Example: A vendor patches on day 60. We publish on day 90 (60 + 30).

Actively Exploited Vulnerabilities: 7 Days

If we determine a vulnerability is being actively exploited against real users, the timeline compresses to 7 calendar days from initial notice. The 30-day post-patch window still applies.

Vendors may request a short grace period beyond 7 days if they are actively working on a fix and additional time would meaningfully improve user protection. Any extension is at our discretion.

Grace Periods

For standard (non-exploited) vulnerabilities, vendors may request a 14-day grace period if a fix is imminent. This brings the maximum to 104 days from initial notice, with publication following 30 days after patch availability.

Grace period requests should come before the deadline and include an expected patch date.

Early Disclosure

We may publish earlier than the applicable deadline if:

• Cyera and the vendor mutually agree it would benefit users
• Earlier disclosure is necessary to protect users from active or imminent harm
• Coordination with CERTs, other vendors, or affected parties requires it
• We are required to by law

When publishing early, we limit disclosed information to what is reasonably necessary for the purpose.

What We Publish

Our disclosures typically include a description of the vulnerability, the affected product and version, the date we notified the vendor, patch or mitigation information, and technical detail sufficient for the security community to understand the issue.

We use judgment on how much technical detail to include, weighing user safety against the risk that details could enable attacks before users are patched.

What We Expect from Vendors

We ask vendors to:

• Acknowledge our report within a reasonable time
• Investigate and validate the issue
• Provide periodic status updates
• Notify us when a patch is available
• Coordinate with us on timing and public messaging

Vendor non-responsiveness does not pause or extend our disclosure timeline.

Contact

For all communications under this policy — acknowledgements, status updates, patch availability, or coordination requests — contact: responsibledisclosure@cyera.io.

For sensitive technical details or proof-of-concept materials, please use encrypted email. 

Policy Updates

We may update this policy at any time. The version in effect at the time of initial notice for a given vulnerability will generally govern that report.