Notification and Disclosure Policy
I spot bugs, weaknesses and (security) vulnerabilities in software
quite often and (try to) report them to developers and vendors.
- If you are a software developer or vendor but failed to provide an
email address for reporting bugs, weaknesses and/or (security)
vulnerabilities within your software and its documentation or
failed to publish an email address on your web site I usually
disclose the bugs, weaknesses and/or (security) vulnerabilities
immediately.
- If the email address provided within your software and its
documentation or published on your web site is invalid or reports
sent to this mailbox bounce I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities immediately.
- If you receive a bug, weakness and/or (security) vulnerability
report I expect at least an (immediate)
acknowledgement of receipt and a qualified reply in the course of
one week.
- If you don’t acknowledge the receipt or don’t reply
within one week I usually resend the notification once, eventually
with Cc: to
CERT/CC.
- If you again don’t acknowledge the receipt or don’t
reply within another week I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities then without further notice.
- If you consider a bug, weakness and/or (security) vulnerability I
reported to you not as (security) vulnerability I
usually disclose it immediately.
- If you decline to fix a bug, weakness and/or (security)
vulnerability I reported to you I usually disclose it immediately.
- I expect that you assign or request a
CVE®
identifier for every security vulnerability I report to you and
notify me when done.
- I usually set a disclosure date 45 days after the initial bug,
weakness and/or (security) vulnerability report.
- If you can’t meet this initial deadline and need more time to
provide a fix or inform your customers I will grant an extension
of the initial deadline if you provide convincing arguments to me.
- If the set deadline expires I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities then without further notice.
- I expect regular progress and/or status updates every other week,
especially if you can’t meet the (initial or extended)
deadline.
- If you don’t send progress and/or status updates on your own
I will eventually request them from you.
- If you don’t reply to a progress and/or status update request
within one week I usually disclose the bugs, weaknesses and/or
(security) vulnerabilities then without further notice.
- I usually disclose the bugs, weaknesses and/or (security)
vulnerabilities once you provide a fix or publish a (security)
advisory or bulletin.
Data Protection Declaration
This web page records no data and sets no cookies
.
The service provider for *.homepage.t-online.de,
Deutsche Telekom AG,
- records every visitor of this web site in a log file;
IP adresses are
pseudonymised, personal data are not stored.
- sets a
session cookie
.
Copyright © 1995–2019 • Stefan Kanthak •
<stefan.kanthak@nexgo.de>