Retrospective Vulnerability Tracking (PreCVEs)

A significant portion of VulNow's research involves identifying security flaws that have been remediated by the software maintainer or vendor but lack formal documentation. To ensure these issues are visible to security practitioners, VulNow assigns a proprietary identifier (VulNow PreCVE ID) and publishes the vulnerability details within 14 days.

Zero-Day Coordinated Disclosure

For newly discovered, unpatched vulnerabilities, VulNow adheres to standard industry practices for Coordinated Vulnerability Disclosure (CVD).

• Notification. VulNow will make a good-faith effort to contact the responsible maintainer or vendor via standard security channels.
• Timeline. Vendors are provided a 120-day coordination window from the date of initial contact to develop and release a remediation.
• Publication. VulNow will publish a security advisory upon the release of the maintainer or vendor's patch, or upon the expiration of the 120-day window, whichever occurs first.

Accelerated Disclosure

VulNow reserves the right to deviate from the standard 120-day timeline under the following circumstances:

• Active Exploitation. If evidence indicates the vulnerability is being exploited in the wild, the coordination window will be reduced to 7 days.
• Public Knowledge. If the vulnerability details or a partial patch become publicly known prior to the end of the coordination window, VulNow may publish its advisory immediately.