Notification and disclosure Policy
Thanks to Thierry Zoller for the permission to use his policy
Begin of Terms/Policy (based on Secunias' Policy) (Author: Thierry Zoller)_________________________________________________________________________________
You are not allowed to share any details, proof of concept files with other vendors, should such request arrive please forward them to myself, I will gladly provide them to the respective vendors. You may be quoted or the complete e-mail communication may be published if I deem it necessary for transparency.
- If no security contact is known for the vendor and no security contact can be found at OSVDB, an e-mail requesting the security contact e-mail address may initially be sent to certain public e-mail addresses associated with the vendor. Online forms may only be used to request security contact information.
- When a security contact or other relevant e-mail address has been identified, a vendor initially receives a mail with vulnerability details along with a pre-set disclosure date (usually set to a Thursday two week later).
- If the vendor does not respond to the initial mail within a week, it is resent.
- If no response has been received at the day of the pre-set disclosure date, the vulnerability information is published immediately without further coordination attempts.
- If the vendor responds to either the initial mail or the resent mail, a new disclosure date may be set in case the vendor cannot meet the pre-set date.
- I expect to receive continuous status updates from the vendor and a list of all affected products, should no list be given it is assumed all products are vulnerable. If none are provided by default, the vendor will be contacted about once a month with a status update request (if time permits).
- Should a vendor not respond to a status update request, it is resent.
- Should the vendor not respond to two consecutive status update requests, a mail is sent to the vendor advising that the vulnerability information will be disclosed a week later if no response is received. Has no response been received by this date, the vulnerability information is immediately published without further coordination attempts.
- Eventually, the vulnerability information will be published by me when:
- The pre-set/agreed disclosure date is reached.
- The vendor issues a fix and/or security advisory.
- Information about the same vulnerability is published by a third party.
- A year from the initial contact date has passed
- the vendor denies the security nature of the bug and/or gives no credit for my work