Disclosure Before Deployment

Shipping secure systems requires choreography between builders, customers, and the research community. We now run a disclosure sprint before every major deployment, treating it as a first-class engineering milestone rather than a compliance checkbox.

Six weeks before launch we freeze features and publish design notes to a vetted researcher pool. Four weeks out, we deliver reproducible harnesses—Docker images, seed datasets, and environment descriptors—that mirror the production surface. Researchers test against near-real infrastructure without waiting for go-live.

During the sprint, a dedicated response room operates around the clock. Findings are triaged within twelve hours, severity is agreed upon collaboratively, and patches land in staging before the next business day. Customers with contractual dependencies join the room, gaining visibility into mitigations before they reach production.

The process culminates in coordinated disclosure. We draft public advisories jointly with researchers, allocate CVE identifiers, and ship customer-ready remediation guides. Because we have already rehearsed the rollout, the final deployment weekend is calm. Operations teams flip the switch knowing every high-severity issue has a signed-off fix waiting. This mirrors the outbound disclosure programs recently formalized by OpenAI and Anthropic—policies that prove top labs now expect to share findings beyond their own stacks.

We also align with lessons surfaced by CERT/CC’s February 2025 analysis of AI-specific coordinated disclosure. Their research underscored how opaque model behaviors and restrictive terms of service can derail collaboration. To avoid those failure modes, we pre-authorize testing scopes, publish deterministic reproduction harnesses, and guarantee safe harbor for good-faith researchers.

This cadence changed the tone of customer conversations. Instead of promising eventual mitigations, we arrive with artifacts—patched binaries, infrastructure-as-code diffs, and annotated timelines—that demonstrate accountability. Procurement cycles shortened because risk teams viewed the disclosure sprint as proof of maturity. Boards appreciate that we can cite industry guidance, academic proposals for third-party flaw disclosure, and our own performance metrics when renewing contracts.

Responsible disclosure at startup speed is absolutely possible. It simply requires planning the same way we plan load tests or availability drills. We budget time, assign owners, and track metrics such as mean time to remediation. The result is a tighter loop between discovery and defense, with trust earned before the first user ever logs in—and with a playbook ready for the next wave of regulatory expectations.