Vulnerability Discovery and Disclosure Policy
Last updated: March 18, 2026
1. Scope
This policy applies to all vulnerability findings generated through the Unpatched.ai platform, whether discovered in your own code, open-source dependencies, or third-party libraries included in repositories you submit for assessment.
2. Public Disclosure
Vulnerabilities identified by the Service must not be disclosed publicly unless and until the affected vendor or maintainer has released a fix or a reasonable disclosure timeline has elapsed. You are responsible for coordinating disclosure with the relevant vendor or maintainer before making any findings public. We recommend following established coordinated disclosure practices, such as providing at least 90 days for the vendor to address the issue before public disclosure.
3. Lawful Use Only
All vulnerabilities discovered through Unpatched.ai must be used for lawful purposes only. If you are using the Service on behalf of an employer or client, they must be a person or entity located in one of our supported regions.
4. Confidentiality of Findings
Assessment findings should be treated as sensitive information. You should limit access to findings to those who need them for remediation, security operations, or compliance purposes. Do not share raw findings publicly or with unauthorized parties.
5. Your Responsibility
Unpatched.ai provides automated security analysis tooling. You are solely responsible for how you use, act on, or distribute the findings generated by the Service. We are not responsible for any consequences arising from your use or disclosure of vulnerability information.
6. Accuracy of Findings
Findings are generated by automated analysis and may contain false positives, false negatives, or inaccuracies. You should verify all findings independently before acting on them, reporting them to vendors, or making decisions based on them.
7. Responsible Use
You agree to handle all vulnerability information with care. Misuse of findings may result in termination of your account and may be reported to the appropriate authorities.
8. Changes to This Policy
We may update this policy from time to time. Changes will be posted on this page with an updated revision date.