Vulnerability Disclosure Policy

Voke Cyber runs an ongoing security research program. When we find a vulnerability in software we do not own, we disclose it the right way: privately, to the people who can fix it, with enough time to ship a fix before any details go public. This page explains how we handle the vulnerabilities we find, and how to report one to us.

How we disclose what we find

When we discover a vulnerability in third-party software, we follow coordinated disclosure:

1. Report privately. We contact the vendor or maintainer through their preferred secure channel — a security advisory process, a published security contact, or private vulnerability reporting. We do not post details publicly before the people who can fix it have had a chance to.
2. Work with the vendor. We provide clear reproduction steps and impact, answer questions, and help validate the fix. The goal is to get the issue fixed, not just reported.
3. Give reasonable time. Our standard window is 90 days from our initial report to public disclosure. We extend it when a vendor is engaged and working in good faith, and we may move faster if a fix ships sooner or the issue is already being exploited in the wild.
4. Request a CVE. Where appropriate we request a CVE so the issue is tracked in the public record, and we credit the vendor for the fix.
5. Publish responsibly. After a fix is available, we publish an advisory in our Research section. We describe the vulnerability and its impact plainly, but we hold back exploit code and fine-grained technical detail that would help attackers more than defenders while many users are still patching.

We do not sell vulnerabilities, trade them privately, or use them for anything other than coordinated disclosure and the defensive work we do for our clients. We never ask a vendor for payment in exchange for staying quiet.

What we publish, and when

Our advisories go live only after the issue is fixed or the disclosure window has closed. Each one links to the official CVE record and the vendor advisory so you can verify it independently. If a vendor disputes a finding, we say so.

Reporting a vulnerability to us

If you have found a security issue in Voke Cyber's own website or systems, we want to hear about it.

How to report

• Email info@vokecyber.com with "Security Disclosure" in the subject line.
• Include enough detail for us to reproduce the issue: what you found, where, and the impact.
• Give us a reasonable amount of time to investigate and fix the issue before sharing it publicly.

What we ask of you

• Act in good faith. Do not access, modify, or delete data that is not yours, and do not degrade our service for others.
• Do not run automated scanning that disrupts availability, social-engineer our team, or target our physical facilities.
• Keep the details private until we have had a chance to address the issue.

What you can expect from us

• If you make a good-faith effort to follow this policy, we will not pursue legal action against your research, and we will work with you in good faith.
• We will acknowledge your report, keep you updated as we investigate, and credit you when the issue is resolved if you would like to be credited.

Scope

This policy covers vokecyber.com and the systems we operate. It does not authorize testing against our clients, their systems, or any other third party. Testing the systems of our clients or any organization without their explicit written authorization is outside this policy and is not something we sanction.

Our principles

• Fix first, publish second.
• Credit where it is due — to vendors who fix issues and to researchers who report them.
• No exploitation, no extortion, no selling findings.
• Clear, verifiable advisories tied to the public record.