Bug disclosure guidelines

Bug Disclosure Guidelines

Following Google’s standard disclosure policy, OSS-Fuzz will adhere to following disclosure principles:

Deadline. After notifying project authors, we will open reported issues to the public in 90 days, or after the fix is released (whichever comes earlier).
Weekends and holidays. If a deadline is due to expire on a weekend, the deadline will be moved to the next normal work day.
Grace period. We have a 14-day grace period. If a 90-day deadline expires but the upstream engineers let us know before the deadline that a patch is scheduled for release on a specific day within 14 days following the deadline, the public disclosure will be delayed until the availability of the patch.