Me, myself & IT

Notification and Disclosure Policy

I spot bugs, weaknesses and (security) vulnerabilities in software quite often and (try to) report them to developers and vendors.

If you are a software developer or vendor but failed to provide an email address for reporting bugs, weaknesses and/or (security) vulnerabilities within your software and its documentation or failed to publish an email address on your web site I usually disclose the bugs, weaknesses and/or (security) vulnerabilities immediately.
If the email address provided within your software and its documentation or published on your web site is invalid or reports sent to this mailbox bounce I usually disclose the bugs, weaknesses and/or (security) vulnerabilities immediately.
If you receive a bug, weakness and/or (security) vulnerability report I expect at least an (immediate) acknowledgement of receipt and a qualified reply in the course of one week.
If you don’t acknowledge the receipt or don’t reply within one week I usually resend the notification once, eventually with Cc: to CERT/CC.
If you again don’t acknowledge the receipt or don’t reply within another week I usually disclose the bugs, weaknesses and/or (security) vulnerabilities then without further notice.
If you consider a bug, weakness and/or (security) vulnerability I reported to you not as (security) vulnerability I usually disclose it immediately.
If you decline to fix a bug, weakness and/or (security) vulnerability I reported to you I usually disclose it immediately.
I expect that you assign or request a CVE^® identifier for every security vulnerability I report to you and notify me when done.
I usually set a disclosure date 45 days after the initial bug, weakness and/or (security) vulnerability report.
If you can’t meet this initial deadline and need more time to provide a fix or inform your customers I will grant an extension of the initial deadline if you provide convincing arguments to me.
If the set deadline expires I usually disclose the bugs, weaknesses and/or (security) vulnerabilities then without further notice.
I expect regular progress and/or status updates every other week, especially if you can’t meet the (initial or extended) deadline.
If you don’t send progress and/or status updates on your own I will eventually request them from you.
If you don’t reply to a progress and/or status update request within one week I usually disclose the bugs, weaknesses and/or (security) vulnerabilities then without further notice.
I usually disclose the bugs, weaknesses and/or (security) vulnerabilities once you provide a fix or publish a (security) advisory or bulletin.