$80M led by Meritech. Read about our Series B
Sign in Request demo

Our Approach to Coordinated Vulnerability Disclosure

depthfirst is finding new security vulnerabilities in open-source software every week. And we believe that finding these vulnerabilities is only valuable if it leads to a safer internet. We created this policy to clarify how we handle these public discoveries: ensuring maintainers have the time they need to fix issues, while ensuring users aren't left vulnerable.

How We Report (and What We Provide)

Every vulnerability we proactively report to open-source projects is verified by a human security engineer.

Our reports provide the full technical context needed to triage and fix the issue:

  1. Executive Summary
  2. Exploit Impact
  3. Technical Details
  4. Proof of Concept
  5. Suggested Fix

We are also happy to help resolve the vulnerability and verify that the patch effectively closes the gap.

The 90-Day Disclosure Standard

We follow a disclosure timeline modeled after Google’s external security team, designed to balance the pressure to fix bugs with the time required for users to apply updates.

90-Day Deadline

Vendors have 90 days from our initial report to release a fix. If 90 days pass without a patch, we will publicly disclose the vulnerability to empower users to defend themselves.

Patch Adoption Period

When a patch is released (whether on day 5 or day 85), we do not publish the technical details immediately. Instead, we wait 14 days after the patch is available.

This buffer allows users and administrators time to apply the update before we release the proof-of-concept and technical analysis. We believe this "patch-then-pause" approach is the most responsible way to improve the ecosystem.

Collaboration & Flexibility 

We understand that complex vulnerabilities can require significant time to resolve. Our priority is a fixed ecosystem, not a strict deadline.

If you are actively communicating and have a concrete plan for a patch, we are happy to work with maintainers on reasonable extensions. As long as we see good-faith effort, we will work with you to ensure the fix is ready before details go public.

Improving the Ecosystem

This policy is how we turn security research into real-world safety. By combining our AI agent discovery capabilities with a responsible, human-led disclosure process, we aim to help maintainers secure their projects quickly and effortlessly.

See what autonomous security looks like

Request demo