Tuesday, July 10, 2007

[The Policy I follow]

This policy outlines how I try to handle responsible disclosure of a vulnerability
to the product vendors, security vendors and the general public.

Step 1: Vulnerability detected

Step 2: Inform the vendor of the product or the servce formally through email to following mail accounts/aliases

Step 3: Wait for vendor's acknowledgement for 5 working days

Step 4: If the vendor fails to acknowledge initial notification within 5 working days, I contact the vendor for second time using mail & other publicly available contact medium such as phone or fax

Step 5: If a vendor response is received within the timeframe we (vendor & me) wait for a reasonable period of time to develop a fix. I make every effort to work with vendors to ensure that they get the technical details and severity of the flaw detected.

Step 6: Once the patch is ready & released with responsible timeframe, in consent with the vendor I will formally and publicly release its security advisories on selected security mailing lists & other forums.

Consent of the vendor for discloser is important as few vendors do not like to get their vulnerability publicized as it may effect their reputation. Respecting their feelings I get the consent from the vendor & then publicize the flaw


Post a Comment