 |
|||||
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|||
|
|
 |
|
|
|
|
|
|
|||
|
|||||
|
|||||
|
|||||
|
|
|
|||
|
|
|
|
||
|
|
|
|||
|
|||||
In accordance with the normalisation efforts started by IETF, the Cert-IST has set itself a responsible disclosure policy regarding the security vulnerabilities.
Cert-IST
vulnerability disclosure policy
This policy is
meant to advertise the rules followed by Cert-IST regarding vulnerability
disclosure. It aims specifically at ensuring security for Cert-IST constituency
and at enabling Vendors to develop solutions quickly for their security
problems.
-
Cert-IST respects the process described in the Draft "Responsible Vulnerability Disclosure Process". Its first role (according to this draft) is the one of Coordinator (entity which works with the Vendor and the Reporter to analyse a vulnerability). Cert-IST may sometimes play the role of Reporter (entity which informs the Vendor of a new vulnerability).
-
Cert-IST undertakes to respect a grace period which is generally of 30 days before publishing its advisories. Thus during the discovery process of a new vulnerability, Cert-IST notifies the Vendor, making known to him the information that will be published, should no response be supplied at the end of the grace period. If the threat importance requires to shorten this delay, the various actors (specifically the Vendor) are informed. This grace period only concerns new vulnerabilities, which means vulnerabilities that have not already been published in a public forum (open mailing lists, public Web sites, etc...).
-
During the Vendor notification period, Cert-IST undertakes to provide all necessary information to enable the Vendor to qualify the vulnerability : problem description, tested versions, code used and all technical information useful for the problem comprehension. The notification is generally made by email and the notification date is recorded.
-
Except if the Reporter does not agree, Cert-IST indicates the Reporter name to the Vendor during the notification and to Cert-IST constituency when the advisory is released.
-
Cert-IST policy will be enforced for all the Editors uniformally.
-
Nevertheless, in case of big security risks, Cert-IST reserves the right to publish the information before or beyond the grace period; the decision to publish or not an advisory will always take into account the interests in terms of security of the various actors. Whenever possible, Cert-IST will propose a workaround to allow the users to protect themselves against the vulnerability exploitation.
|
|
 |
policy_draft-christey-wysopal-vuln-disclosure-00 |
|
|