| --- |
| layout: default |
| title: Bug disclosure guidelines |
| parent: Getting started |
| nav_order: 4 |
| permalink: /getting-started/bug-disclosure-guidelines/ |
| --- |
| |
| ## Bug Disclosure Guidelines |
| |
| Following [Google's standard disclosure policy](https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html), |
| OSS-Fuzz will adhere to following disclosure principles: |
| |
| - **Deadline**. After notifying project authors, we will open reported |
| issues to the public in 90 days, or after the fix is released (whichever |
| comes earlier). |
| - **Weekends and holidays**. If a deadline is due to expire on a weekend, |
| the deadline will be moved to the next normal work day. |
| - **Grace period**. We have a 14-day grace period. If a 90-day deadline |
| expires but the upstream engineers let us know before the deadline that a |
| patch is scheduled for release on a specific day within 14 days following |
| the deadline, the public disclosure will be delayed until the availability |
| of the patch. |
