Frontier models can vanish overnight. Control is the new frontier in security AI.See why

CNA Disclosure Policy

Outbound Vulnerability Disclosure Policy

How Aisle discloses security vulnerabilities it discovers in third-party software. Last updated: June 25, 2026.

Version

1.0

Effective Date

June 25, 2026

Policy Owner

Information Security (CISO)

CNA Scope

Software developed and distributed by Aisle, Inc.

Public POC

[email protected]

Advisory Location

https://aisle.com/wall-of-fame

Policy URL

https://aisle.com/security/disclosure-policy

1. Purpose

Aisle is committed to the responsible disclosure of security vulnerabilities. This policy governs how Aisle handles vulnerabilities it discovers in third-party software products, libraries, and services, including open-source components and vendor software, where Aisle is the discovering party, not the vendor.

As a CVE Numbering Authority (CNA), Aisle may assign CVE identifiers to vulnerabilities within its CNA scope and is expected to operate in accordance with CVE Program rules and ENISA guidance under the EU Cyber Resilience Act (CRA).

2. Scope

2.1 In Scope

This policy applies to:

  • Vulnerabilities discovered by Aisle employees, contractors, or security researchers acting on behalf of Aisle
  • Vulnerabilities found in third-party software, open-source libraries, commercial products, cloud services, or hardware components
  • Vulnerabilities discovered through internal security research, penetration testing, code review, or threat intelligence activities

2.2 Out of Scope

This policy does not apply to:

  • Vulnerabilities reported to Aisle in its own products (covered by Aisle’s Coordinated Vulnerability Disclosure policy)
  • Vulnerabilities that Aisle is exploiting as part of authorized red-team or offensive security engagements under a separate agreement

3. Coordinated Disclosure Process

Aisle follows a coordinated disclosure model consistent with ISO/IEC 29147 and the CVE Program’s CNA rules. The process proceeds in the following phases:

Phase

Timeline

Actions

Discovery

Day 0

Aisle security team identifies and validates the vulnerability internally.

Internal Triage

Day 0–7

Severity assessed using CVSS v3.1/v4.0. Determine if CVE assignment is warranted. Assign internal tracking ID.

Vendor Notification

Day 7

Aisle contacts the vendor/maintainer via their published security contact or security@[vendor]. If no contact exists, Aisle attempts to locate one via CERT/CC or the affected product’s repository.

Acknowledgement

Day 14

Vendor expected to acknowledge receipt and confirm understanding of the issue. If no acknowledgement is received, Aisle sends a follow-up.

Remediation Period

Day 7–90

Standard remediation window is 90 days from initial notification. Extensions up to 120 days may be granted at Aisle’s discretion for complex issues or demonstrated remediation progress.

CVE Assignment

Before public disclosure

If in scope, Aisle assigns a CVE ID via the CVE Program as a CNA. The CVE record is embargoed until public disclosure.

Public Disclosure

Day 90 (or earlier by mutual agreement)

Aisle publishes a security advisory at the advisory location listed in this policy. The CVE record is published simultaneously.

Early Disclosure

As required

If evidence of active exploitation exists, or if a vendor has released a patch ahead of the 90-day deadline, Aisle may disclose earlier with or without vendor agreement.

4. CVE Assignment

Aisle operates as a CVE Numbering Authority (CNA) under the CVE Program. For vulnerabilities within Aisle’s CNA scope:

  • Aisle will request or assign a CVE ID upon confirming the vulnerability is valid, unique, and within scope.
  • CVE records will be kept in RESERVED status during the embargo period.
  • CVE records will be published in full no later than the date of public advisory publication.

For vulnerabilities outside Aisle’s CNA scope, Aisle will work with the applicable CNA or the CVE Program’s CNA-LR (Last Resort) to ensure assignment.

5. Advisory Publication

Aisle publishes security advisories at:

https://aisle.com/wall-of-fame

Each advisory will include:

  • CVE identifier(s)
  • Affected product(s) and version(s)
  • Vulnerability description and CVSS score
  • Proof-of-concept or technical details (where responsible to disclose)
  • Remediation guidance and patch references
  • Credit to the discovering researcher(s) where applicable

6. Point of Contact

For matters related to this policy, including requests from vendors to coordinate on a reported vulnerability, the public point of contact is:

Email

[email protected]

PGP Key

Available at https://aisle.com/security/pgp-key.txt

Response Time

Within 5 business days for acknowledgement; within 10 business days for initial assessment.

7. Severity Classification

Aisle uses CVSS v4.0 (with CVSS v3.1 as fallback) to classify severity. The following thresholds govern escalation and timeline flexibility:

Severity

CVSS Score

Disclosure Timeline

Critical

9.0 – 10.0

60 days; earlier disclosure if actively exploited

High

7.0 – 8.9

90 days standard; up to 120 days with demonstrated progress

Medium

4.0 – 6.9

90 days; extensions granted for complex fixes

Low / Info

0.1 – 3.9

Up to 120 days; coordinate with vendor on timing

8. Unresponsive or Non-Cooperative Vendors

If a vendor fails to acknowledge notification within 14 days, or fails to respond substantively within 30 days, Aisle will:

  • Attempt contact via an alternative channel (e.g., CERT/CC, national CSIRT, or the product’s public issue tracker)
  • Document all contact attempts and dates
  • Proceed with disclosure at the end of the standard remediation period, or sooner if the vulnerability poses immediate public risk

Aisle will not indefinitely withhold disclosure to protect a non-cooperative vendor.

9. Legal Safe Harbor

Aisle’s vulnerability research activities are conducted in good faith under this policy. Aisle will not take legal action against researchers who discover and responsibly disclose vulnerabilities in third-party products, provided those researchers:

  • Operate within the scope of their authorization (e.g., on systems they own or have explicit permission to test)
  • Comply with applicable law
  • Notify the affected vendor through appropriate channels

10. Policy Review and Updates

This policy is reviewed annually, or upon a material change in Aisle’s CNA scope or applicable regulatory requirements. The CISO is responsible for maintaining this policy.