Security Basics mailing list archives
Re: Proper vulnerability disclosure process ????
From: Mike Caudill <mcaudill () cisco com>
Date: Wed, 14 Dec 2005 16:53:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
vipul kumra <vikumar2 () yahoo com> [2005-12-14 11:55] wrote: Hi, Could anyone please throw some light on what is the proper vulnerability disclosure process. Also, are there any legal implications if this is not done correctly (ethically). How many days should someone wait if the company which owns the vulnerable product doesn't respond back. Is there a standard way (industry protocol) for vulnerability disclosure.
Vipul, There are several: NIAC Vulnerability Disclosure Framework http://www.dhs.gov/dhspublic/interweb/assetlibrary/vdwgreport.pdf OIS http://www.oisafety.org/guidelines/secresp.html RFP http://www.wiretrip.net/rfp/policy.html - -Mike- - -- - ---------------------------------------------------------------------- | || || | Mike Caudill <mcaudill () cisco com> | | || || | PSIRT Incident Manager | | |||| |||| | DSS PGP: 0xEBBD5271 | | ..:||||||:..:||||||:.. | +1.919.392.2855 / +1.919.522.4931 (cell) | | C i s c o S y s t e m s | http://www.cisco.com/go/psirt | - ---------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDoJRGimPJSeu9UnERAugyAKCZOk2lVLJ8uvK45N8Mb8XjFdXxfgCgoQBA sEm45Y5RXc3sWMESto/y2dE= =Y3At -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfoc_ml ----------------------------------------------------------------------------
Current thread:
- Proper vulnerability disclosure process ???? vipul kumra (Dec 14)
- Re: Proper vulnerability disclosure process ???? InfoSecBOFH (Dec 16)
- Re: Proper vulnerability disclosure process ???? Mike Caudill (Dec 17)