Responsible Disclosure Policy for Third Parties

Responsible Disclosure Policy for Third Parties

SentinelOne conducts security research and discloses the vulnerabilities it finds to affected vendors to encourage patching. SentinelOne publishes its findings in order to promote a more secure security landscape.

This policy follows a 90-day deadline after first notification, giving vendors time to perform root cause analysis and develop a software patch. SentinelOne may publish their findings after the 90 days have passed or the day a patch is released, whichever is earlier. Otherwise, earlier disclosure may be mutually agreed upon. If the vendor does not reply within 14 days after first notification and SentinelOne has made two or more attempts to contact vendors either through their publicly available email addresses set up to receive such notices or by phone, SentinelOne will publish the findings.

Bugs that are deemed critical and are actively being exploited (have been leaked and actively used by attackers) shall follow a 45-day deadline to aid users in deploying a fix.

SentinelOne may move the publication date forward or backwards in extreme circumstances.

SentinelOne shall provide a 14-day grace period if a vendor communicates that a patch is due to be delivered outside of the deadline, but within 14 days of the 90-day deadline. If no patch date is given or the patch date falls outside the 14-day grace period, the report will be published at the respective deadline even if the bug remains unpatched. If a patch is released during the grace period, the reports may be immediately published.
If a deadline falls on a weekend or holiday, publication shall occur on the next business day following the weekend or holiday.