This Vulnerability Disclosure Policy (“Policy”) outlines how Toreon NV (“Toreon”, “we”, “our”, or “us”) handles and publicly discloses third-party product vulnerabilities discovered by our security research and offensive security teams. This Policy does not apply to findings discovered during client engagements or assessments that fall under contractual confidentiality obligations, including Non-Disclosure Agreements (NDAs), unless the client provides explicit written permission for broader disclosure.

Toreon is committed to improving the security of the global digital ecosystem by identifying and responsibly disclosing vulnerabilities in software, hardware, and systems. Our ultimate goal is to reduce risk for all users impacted by affected products or systems.

Scope

This Policy applies to security vulnerabilities identified in third-party products that Toreon chooses to disclose publicly. This includes vulnerabilities for which Toreon may request or assign CVE identifiers, provided the affected vendor is not already covered by another CVE Numbering Authority (CNA). Toreon is dedicated to reporting any finding with demonstrable security impact that is discovered during our research.

Advisories

To follow the accepted practices of emitting CVE IDs, we have the following considerations when creating the advisories:

• The advisory will include all the relevant information for the vendor to understand the technical weakness.
• We will emit a CVE ID for each finding, unless it is deemed that the remediation is one common fix.
• The advisory may contain proof-of-concept code which is delivered without any guarantees or liabilities. We are not responsible for any damaged caused by executing such code.

Disclosure Process

When Toreon discovers a previously unknown vulnerability, the disclosure process proceeds as follows:

1. A technical report is prepared, including reproduction steps and, if possible, a working proof of concept.
2. If discovered during a client engagement, the vulnerability is reported directly to the client. If a third-party product is affected, Toreon will request the client’s written consent before notifying the product vendor.
3. If discovered independently through Toreon research, the vulnerability is reported directly to the affected vendor.
4. A draft advisory is created internally, recording the affected product, disclosure status, and a timeline. This draft is updated with all significant developments (e.g., vendor acknowledgement, patch release, exploitation in the wild).
5. Vendors are contacted using available security or support channels. If possible, they will be invited to view the private advisory through a secure platform. Toreon will wait five (5) days for the vendor to acknowledge receipt of the finding.
6. After acknowledgement, the vendor has three (3) days to confirm the vulnerability. If no meaningful communication occurs within that timeframe, Toreon will continue the responsible disclosure process.
7. If the vendor remains non-responsive for fifteen (15) days, Toreon reserves the right to disclose the vulnerability.
8. In cases where vendors cooperate, Toreon will coordinate a public disclosure date, preferably within ninety (90) days of the initial report.

Toreon retains the right to accelerate disclosure if we determine that doing so is in the public’s best interest (e.g., active exploitation in the wild).

Responsible Disclosure

Final publication includes:

• Updating the public advisory with full technical details, remediation guidance, and proof-of-concept artifacts if applicable.
• Issuing a CVE identifier if not already assigned.
• Disseminating the advisory via Toreon’s website and professional communication channels (e.g., LinkedIn, blog posts).

Toreon believes that responsible, transparent vulnerability disclosure benefits not just the vendor, but the broader community of users, defenders, and researchers.