At Redguard, we regularly identify previously unknown security issues (zero-day vulnerabilities) during penetration tests, code reviews, and other client engagements. These findings affect not only the client’s systems, but also third-party products, platforms, or services they rely on. Most of these issues, however, remain strictly confidential due to non‑disclosure agreements (NDAs) in place with our clients — and as a result, they cannot be disclosed publicly.

When authorized by a client, we initiate a so-called coordinated vulnerability disclosure (CVD) process for relevant findings. This allows us to privately report verified vulnerabilities to the responsible vendor and support their remediation efforts, before publishing a technical advisory once the issue is resolved — or after a clearly defined timeline.

By handling these cases transparently and collaboratively, we help reduce long-term risk not only for our clients, but also for the broader community of users who depend on the same technologies. More broadly, this process reflects how we view our role: enabling informed, actionable security outcomes that extend beyond a single engagement.

This blog post outlines how we handle such disclosures, what vendors can expect from us, and why CVD benefits our clients and the wider security ecosystem.

What is a Coordinated Vulnerability Disclosure?

Coordinated Vulnerability Disclosure (CVD) is a responsible reporting process in which we privately share validated security vulnerabilities with affected vendors, giving them time to investigate and implement a fix before public disclosure.

CVD stands in contrast to full disclosure. Its purpose isn’t publicity — it’s risk mitigation. The process ensures that vulnerabilities are addressed efficiently while enabling transparency and maintaining professional integrity. It also aligns with established industry standards such as those used by Google Project Zero or various CERT’s own CVE programs.

Key principles of our process

Our approach to CVD follows a clear and consistent process grounded in professionalism and accountability:

1. Client authorization required: We only initiate CVDs when a client has explicitly authorized it. Once approved, we compile a technical advisory — including affected versions, reproduction steps, risk assessment, and, where applicable, proof-of-concept code.

2. Secure and confidential communication: We reach out to the vendor through secure channels, initially sharing only minimal details. The advisory and technical content are transmitted via encrypted means.

3. Defined disclosure timeline: We follow a 90-day disclosure window by default, consistent with industry norms. Extensions of up to 180 days are available if the vendor demonstrates progress and requests additional time. If the vendor remains unresponsive for more than 14 days, we may escalate the case to a coordinating body such as CERT/CC, BACS, or an upstream vendor, depending on the nature of the vulnerability and affected ecosystem.

Throughout the process, we remain available to assist with clarifications, validate proposed patches, and coordinate publication timelines. Once the vendor acknowledges the issue, we also initiate the process of assigning a CVE identifier where appropriate, ensuring the vulnerability is tracked and referenced correctly.

We maintain detailed internal logs for each disclosure, documenting communication, decisions, and actions taken across the timeline. This ensures traceability, transparency, and consistency with our internal quality standards.

What vendors can expect from us

We handle every disclosure with the goal of constructive cooperation. Vendors can expect a structured and professional experience from first contact to final publication.

• Advisories are technically accurate, objective, and respectfully worded.
• Reproduction steps, version information, and PoCs are included where necessary.
• We remain available throughout the disclosure window to clarify findings, validate patches, and support coordinated disclosure.
• We offer optional patch validation support to help vendors confirm successful remediation.
• Escalation happens only in cases of prolonged non-response and is managed through appropriate channels.

We prioritize security, confidentiality, and clarity.

What customers can expect from us

For clients who permit CVDs, the process reflects Redguard’s commitment to proactive security - extending the value of an engagement beyond internal findings to the broader ecosystem.

• Vulnerabilities are handled with technical depth, legal diligence, and ethical responsibility.
• Structured disclosure reduces long-term exposure to third-party risks.
• Clients gain assurance that their security partner helps improve the underlying tools and platforms they depend on.
• Client identities are never shared with vendors unless explicitly agreed upon. Disclosures contain no client-specific data or context.

A participation in a CVD can also demonstrate maturity and responsibility to regulators, partners, and stakeholders who expect high standards in vulnerability management. Where CVDs are not authorized, findings remain entirely within the test scope and are not disclosed externally.

Building Trust Through Transparency

CVD is more than a best practice — it’s an essential part of responsible security work. At Redguard, we see it as an essential part of our mission: helping clients secure their assets. Our CVD process is structured, consistent, and rooted in collaboration. Whether you’re a vendor receiving a report or a client supporting disclosure, you can trust us to act with professionalism, discretion, and purpose.

We appreciate every client that enables us to carry out CVD on their behalf. And for vendors: if we contact you, it’s because we believe in fixing things together — not pointing fingers. If you’d like to learn more about how our process works, we’re happy to talk.