Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Last updated: March 24, 2026

Purpose

Tacit provides a structured framework for software publishers to communicate with customers, users, partners, and other relevant stakeholders when vulnerabilities affect — or do not affect — their products. This policy defines how vulnerability-related information is documented, reviewed, identified, and disclosed through Tacit.

The purpose of this policy is to support clear, consistent, and auditable vulnerability communication. By establishing common rules for submission, review, identification, and disclosure, Tacit helps publishers maintain reliable records and share timely information with the appropriate audiences.

Scope

This policy applies to statements published in Tacit in relation to software products, services, or components referenced by publishers on the platform. These statements may relate either to vulnerabilities already disclosed or referenced through public identifiers, public advisories, or other external sources, or to newly identified vulnerabilities first documented on Tacit.

For newly identified vulnerabilities first documented in Tacit, this policy also governs the creation, review, identification, tracking, and disclosure of related vulnerability records. All newly identified vulnerabilities documented in Tacit and falling within the scope of this policy are assigned a Tacit ID for tracking and disclosure purposes. This policy also applies to requests for potential CVE ID assignment in relation to certain newly identified vulnerabilities documented in Tacit.

This policy does not apply to submissions that are incomplete, outside Tacit’s defined scope, submitted without sufficient authority from the relevant publisher, or otherwise ineligible for processing.

Submission Requirements

To fall within the scope of this policy, a submission must relate to a software product, service, or component referenced by the submitting publisher in Tacit and must be submitted by a party authorized to act on behalf of that publisher.

Submissions for Statements Relating to Existing Public Vulnerabilities

Where a submission concerns a statement relating to a vulnerability already disclosed or referenced through a public identifier, public advisory, or other external source, the submitting party must provide sufficient information to allow Tacit to publish the relevant statement.

Such submissions should include, where applicable:

  • the relevant public identifier, advisory, or external reference;

  • the referenced product, service, or component, and the relevant version(s), where applicable;

  • the publisher’s position as to whether the vulnerability affects, may affect, or does not affect the referenced product;

  • any supporting explanation, remediation information, mitigation guidance, or version-specific clarification intended for relevant stakeholders.

Submissions for Newly Identified Vulnerabilities

Where a submission concerns a newly identified vulnerability first documented in Tacit, the submitting party must provide sufficient information to allow Tacit to create the related vulnerability record and support any related statements.

Such submissions should include, where applicable:

  • a description of the vulnerability;

  • the security impact or potential impact of the vulnerability;

  • the referenced product, service, or component, and the relevant version(s), where applicable;

  • any known remediation, mitigation, or workaround information;

  • any relevant technical references, internal tracking references, or supporting materials;

  • the current disclosure status of the vulnerability.

CVE Assignment Requests, Review, and Decision

Requests for CVE ID assignment may be accepted only where the publisher intends to make the related vulnerability disclosure publicly accessible without audience restriction, whether through Tacit or another appropriate public source. Requests relating only to disclosures limited to private or selected audiences are not eligible for CVE ID assignment through Tacit.

Where a publisher requests assignment of a CVE ID for a newly identified vulnerability documented in Tacit, the submission must include sufficient information for Tacit to assess eligibility, scope, and assignment authority.

As part of this review, Tacit may assess, where relevant:

  • whether the submission relates to a newly identified vulnerability documented in Tacit;

  • whether the submitting party is authorized to act on behalf of the relevant publisher;

  • whether the submission contains sufficient information to support review and potential assignment;

  • whether the vulnerability appears to meet the applicable eligibility criteria for CVE ID assignment;

  • whether Tacit is the appropriate authority to assign the CVE ID, or whether another authority is more appropriate.

Following review, Tacit may:

  • assign a CVE ID;

  • request additional information or clarification;

  • defer a decision pending further information or coordination;

  • decline the request; or

  • redirect the publisher to another authority, where appropriate.

Submission of a vulnerability through Tacit does not guarantee that a CVE ID will be assigned. Assignment decisions are made based on Tacit’s defined scope, applicable eligibility criteria, and any other requirements governing assignment authority.

Where Tacit declines or redirects a request, the related vulnerability record and any related statements may remain documented and disclosed through Tacit in accordance with this policy.

Disclosure and Publication

Publishers control whether and when vulnerability-related information is disclosed through Tacit. Tacit does not determine whether a publisher’s chosen disclosure timing or scope complies with applicable law, regulation, contractual obligations, or relevant industry good practices; this remains the responsibility of the publisher.

A statement is disclosed only when the publisher chooses to publish it. The visibility of each published statement depends on the publisher’s selected visibility settings and may be limited to specific audiences, including watchers, or made fully public.

For newly identified vulnerabilities first documented in Tacit, the related vulnerability record is not accessible by watchers unless and until at least one related statement is published. Once published, access to the related information remains subject to the publisher’s selected visibility settings.

A publisher may request CVE ID assignment for a newly identified vulnerability and may choose to publish related statements before a CVE ID has been assigned. Where a CVE ID is assigned after publication, Tacit may update the related vulnerability record and any related statements to reflect that assignment.

Publishers remain responsible for the accuracy, completeness, and appropriateness of the information they disclose through Tacit, except where Tacit separately reviews and assigns a CVE ID in accordance with this policy.

© 2026 Tacit. All rights reserved.

Privacy

Terms of Service

Privacy

Terms of services

© 2026 Tacit. All rights reserved.

Privacy

Terms of services

© 2026 Tacit. All rights reserved.