Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Proper vulnerability disclosure process ????

From: Mike Caudill <mcaudill () cisco com>
Date: Wed, 14 Dec 2005 16:53:10 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


vipul kumra <vikumar2 () yahoo com> [2005-12-14 11:55] wrote:
Hi,
 
Could anyone please throw some light on what is the
proper vulnerability disclosure process. Also, are
there any legal implications if this is not done
correctly (ethically). How many days should someone
wait if the company which owns the vulnerable product
doesn't respond back.
 
Is there a standard way (industry protocol) for
vulnerability disclosure.
 


Vipul,

There are several:

NIAC Vulnerability Disclosure Framework
http://www.dhs.gov/dhspublic/interweb/assetlibrary/vdwgreport.pdf

OIS
http://www.oisafety.org/guidelines/secresp.html

RFP
http://www.wiretrip.net/rfp/policy.html


- -Mike-

- -- 
- ----------------------------------------------------------------------
|      ||        ||       | Mike Caudill  <mcaudill () cisco com>       |
|      ||        ||       | PSIRT Incident Manager                   |
|     ||||      ||||      | DSS PGP: 0xEBBD5271                      |
| ..:||||||:..:||||||:..  | +1.919.392.2855 / +1.919.522.4931 (cell) |
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt            |
- ----------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoJRGimPJSeu9UnERAugyAKCZOk2lVLJ8uvK45N8Mb8XjFdXxfgCgoQBA
sEm45Y5RXc3sWMESto/y2dE=
=Y3At
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: