CYGENCE DISCLOSURE POLICY

Cygence is committed to the responsible handling and disclosure of security vulnerabilities.

Reporting Vulnerabilities

Security vulnerabilities may be reported to:

Email: cve [at] cygence [dot] com [dot] au

Reports should include sufficient technical detail to allow assessment of the issue. Anonymous submissions are accepted.

Reporters are encouraged to provide:

  • Affected product, service, or component;

  • Version information;

  • Technical description of the vulnerability;

  • Reproduction steps or proof of concept;

  • Impact assessment;

  • Contact information (optional).

Guiding Principles

Cygence’s disclosure activities are guided by the following principles:

  • Accuracy: Ensure technical correctness and clarity;

  • Timeliness: Avoid unnecessary delays in publication;

  • Coordination: Support responsible, coordinated disclosure;

  • Neutrality: Act independently of commercial or competitive interests;

  • Consistency: Apply vulnerability disclosure uniformly.

Vulnerability Reporting Acknowledgement

Upon receipt, Cygence will:

  • Acknowledge the report within a reasonable timeframe;

  • Determine whether the issue represents a security vulnerability;

  • Confirm whether the vulnerability is within Cygence scope;

  • Assess severity using CVSS or an equivalent scoring system.

If a report is out of scope or does not meet CVE eligibility criteria, Cygence will document the decision and, where possible, redirect the reporter.

Vulnerability Identification

For validated vulnerabilities, Cygence may:

  • Assess technical impact and severity;

  • Coordinate disclosure timelines with affected parties;

  • Reference or request vulnerability identifiers from appropriate authorities when applicable.

Disclosure Approach

Cygence follows coordinated vulnerability disclosure practices consistent with widely accepted industry standards.

Where appropriate, we work with reporters and affected vendors or maintainers to enable remediation prior to public disclosure.

Public Disclosure

Public disclosure may occur when:

  • A fix or mitigation is available;

  • A coordinated disclosure timeline has concluded;

  • Risk to users requires broader awareness.

Public disclosures typically include a technical description, affected versions, and references to mitigations or advisories. Cygence does not publish exploit code.

Coordination and Embargo Handling

Where coordination is appropriate, Cygence may:

  • Engage affected vendors or maintainers;

  • Support embargoed handling of vulnerability details;

  • Agree on a reasonable disclosure timeline.

Embargo periods are not fixed and are determined based on:

  • Severity and exploitability;

  • Evidence of active exploitation;

  • Remediation readiness;

  • CVE Program expectations.

Cygence reserves the right to proceed with disclosure if risk to users warrants it.

Confidentiality and Attribution

Reporter identity will be treated as confidential unless explicit permission is provided. Attribution is optional and controlled by the reporter.

Good-Faith Security Research

Cygence supports lawful, good-faith security research conducted in accordance with applicable laws and ethical guidelines.

This policy does not authorize activities such as:

  • Service disruption

  • Unauthorised data access or exfiltration

  • Social engineering or physical intrusion

Contact

For vulnerability disclosure or security coordination inquiries:

Email: cve [at] cygence [dot] com [dot] au

Previously Reported Vulnerabilities:

Cygence vulnerability disclosures are located at this link:

VULNERABILITY DISCLOSURES — Cygence