This policy outlines how Tencent Xuanwu Lab (“X-Lab” hereafter) responsibly disclose vulnerabilities to affected vendors.

Every interesting software, platform and device is our target. X-Lab often discovers new bugs and vulnerabilities in our targets. Each one will be assigned a X-Lab ID. A security advisory entry will be created when a vulnerability is discovered, but the detail is omitted.

To make the world safer, X-Lab will actively collaborate with affected vendors to fix these bugs and vulnerabilities. Vulnerability detail will be made public shortly after vendor patch is available, but the exact release date is solely decided by X-Lab.

Vulnerabilities will be disclosed to the public 90 days after the initial report, regardless of availability of patches from affected vendors.

X-Lab will make its best efforts to contact the affected vendors through publicly available methods. We will also work with third party coordinators, including but not limited to MITRE Corporation, CERT Coordination Center (CERT/CC), and China National Vulnerability Database (CNVD), to ensure vulnerability identifiers are assigned and affected vendors are notified.

Before public disclosure of a vulnerability, X-Lab may share technical details with Tencent’s security product teams to develop a proactive response to protect our customers.

Vulnerabilities will be disclosed in the advisories section of our website.