CYGENCE DISCLOSURE POLICY

Cygence is committed to the responsible handling and disclosure of security vulnerabilities.

Reporting Vulnerabilities

Security vulnerabilities may be reported to:

Email: cve [at] cygence [dot] com [dot] au

Reports should include sufficient technical detail to allow assessment of the issue. Anonymous submissions are accepted.

Reporters are encouraged to provide:

  • Affected product, service, or component;

  • Version information;

  • Technical description of the vulnerability;

  • Reproduction steps or proof of concept;

  • Impact assessment;

  • Contact information (optional).

Guiding Principles

Cygence’s disclosure activities are guided by the following principles:

  • Accuracy: Ensure technical correctness and clarity;

  • Timeliness: Avoid unnecessary delays in publication;

  • Coordination: Support responsible, coordinated disclosure;

  • Neutrality: Act independently of commercial or competitive interests;

  • Consistency: Apply vulnerability disclosure uniformly.

Vulnerability Reporting Acknowledgement

Upon receipt, Cygence will:

  • Acknowledge the report within a reasonable timeframe;

  • Determine whether the issue represents a security vulnerability;

  • Confirm whether the vulnerability is within Cygence scope;

  • Assess severity using CVSS or an equivalent scoring system.

If a report is out of scope or does not meet CVE eligibility criteria, Cygence will document the decision and, where possible, redirect the reporter.

Vulnerability Identification

For validated vulnerabilities, Cygence may:

  • Assess technical impact and severity;

  • Coordinate disclosure timelines with affected parties;

  • Reference or request vulnerability identifiers from appropriate authorities when applicable.

Disclosure Approach

Cygence follows coordinated vulnerability disclosure practices consistent with widely accepted industry standards.

Where appropriate, we work with reporters and affected vendors or maintainers to enable remediation prior to public disclosure.

In the event of a vulnerability being discovered, Cygence will undertake the following actions (except where doing so would breach any law or obligation owed to any person):

  • Attempt to establish contact with the vendor of the affected software by sending appropriate notifications to various publicly available contact channels. The initial contact will not disclose the nature of the vulnerability;

  • If contact cannot be established due to the vendor being unresponsive, Cygence will attempt to use various channels over a period of one month. If contact is still not successful, Cygence may at our discretion release the details of the vulnerability to allow affected users to protect themselves;

  • If contact has been established, Cygence will attempt to establish a secure communication channel and disclose all necessary steps to reproduce the vulnerability to the vendor;

  • The vendor will be given 90 days starting from the disclosure date to fix the reported issue(s) and release the necessary patches or introduce steps for their users to protect themselves';

  • If the vendor releases the fixes OR the 90-day deadline is approaching, Cygence will contact the vendor and inform them of the intention to disclose the vulnerability to the public, giving the vendor the opportunity to request a public disclosure delay; and

  • In the event the vendor requests continuous delays or the vendor becomes uncontactable, Cygence may proceed with public disclosure to protect users.

Public Disclosure

Public disclosure may occur when:

  • A fix or mitigation is available;

  • A coordinated disclosure timeline has concluded;

  • Risk to users requires broader awareness.

Public disclosures typically include a technical description, affected versions, and references to mitigations or advisories. Cygence does not publish exploit code.

Coordination and Embargo Handling

Where coordination is appropriate, Cygence may:

  • Engage affected vendors or maintainers;

  • Support embargoed handling of vulnerability details;

  • Agree on a reasonable disclosure timeline.

Embargo periods are not fixed and are determined based on:

  • Severity and exploitability;

  • Evidence of active exploitation;

  • Remediation readiness;

  • CVE Program expectations.

Cygence reserves the right to proceed with disclosure if risk to users warrants it.

Confidentiality and Attribution

Reporter identity will be treated as confidential unless explicit permission is provided. Attribution is optional and controlled by the reporter.

Good-Faith Security Research

Cygence supports lawful, good-faith security research conducted in accordance with applicable laws and ethical guidelines.

This policy does not authorize activities such as:

  • Service disruption;

  • Unauthorised data access or exfiltration;

  • Social engineering or physical intrusion.

Contact

For vulnerability disclosure or security coordination inquiries:

Email: cve [at] cygence [dot] com [dot] au

Previously Reported Vulnerabilities:

Cygence vulnerability disclosures are located at this link:

VULNERABILITY DISCLOSURES — Cygence