1. Notification Timeline
   • Beacon Technology Group adheres to a 90-day notification period after the initial disclosure to the affected vendor. This period allows vendors ample time to analyze the root cause and develop a corresponding software patch.
   • Findings may be published after 90 days or upon the release of a patch, whichever occurs first. Mutual agreement with the vendor can adjust this timeline as necessary.
   • If the vendor does not respond within 14 days following the initial notification and Beacon Technology Group has made at least two attempts to contact the vendor through publicly available email addresses or by phone, the findings will be published.
     
     
2. Critical Vulnerabilities
   Vulnerabilities deemed critical and actively exploited (i.e., leaked and used by attackers) will follow a 45-day notification period to enable users to deploy fixes promptly.
   
   
3. Adjustments and Grace Periods
   Beacon Technology Group reserves the right to adjust the publication date in extreme circumstances.
   A 14-day grace period may be granted if a vendor communicates that a patch will be delivered shortly after the deadline. If no patch date is provided or if the patch date is beyond the 14-day grace period, the report will be published at the deadline even if the vulnerability remains unpatched. Immediate publication may occur if a patch is released during the grace period.
   If a deadline falls on a weekend or holiday, publication will occur on the next business day.
   
   
4. Ultimate Authority
   Beacon Technology Group retains the ultimate authority to determine the criticality of vulnerabilities and the necessity of disclosures to third parties within our ecosystem or our customers.
   
   

This policy underscores our commitment to improving cybersecurity by responsibly sharing our intelligence and working collaboratively with vendors to address vulnerabilities effectively.