[The Policy I follow]
This policy outlines how I try to handle responsible disclosure of a vulnerability
to the product vendors, security vendors and the general public.
Step 1: Vulnerability detected
Step 2: Inform the vendor of the product or the servce formally through email to following mail accounts/aliases
security@VENDOR,
support@VENDOR,
info@VENDOR,
secure@VENDOR,
admin@VENDOR,
sysadmin@VENDOR
Step 3: Wait for vendor's acknowledgement for 5 working days
Step 4: If the vendor fails to acknowledge initial notification within 5 working days, I contact the vendor for second time using mail & other publicly available contact medium such as phone or fax
Step 5: If a vendor response is received within the timeframe we (vendor & me) wait for a reasonable period of time to develop a fix. I make every effort to work with vendors to ensure that they get the technical details and severity of the flaw detected.
Step 6: Once the patch is ready & released with responsible timeframe, in consent with the vendor I will formally and publicly release its security advisories on selected security mailing lists & other forums.
Consent of the vendor for discloser is important as few vendors do not like to get their vulnerability publicized as it may effect their reputation. Respecting their feelings I get the consent from the vendor & then publicize the flaw
Tuesday, July 10, 2007
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment