Notification and disclosure policy
I detect bugs, weaknesses and (security) vulnerabilities in
software quite often and (try to) report them to developers and
vendors.
- If you are a software developer or vendor but failed to provide an
email address for reporting bugs, weaknesses and/or (security)
vulnerabilities within your software and its documentation or
failed to publish an email address on your web site I usually
disclose the bugs, weaknesses and/or (security) vulnerabilities
immediately.
- If the email address provided within your software and its
documentation or published on your web site is invalid or reports
sent to this mailbox bounce I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities immediately.
- If you receive a bug, weakness and/or (security) vulnerability
report I expect at least an (immediate)
acknowledgement of receipt and a qualified reply in the course of
one week.
- If you don't acknowledge the receipt or don't reply within one week
I usually resend the notification once, eventually with
Cc: to
CERT/CC.
- If you again don't acknowledge the receipt or don't reply within
another week I usually disclose the bugs, weaknesses and/or
(security) vulnerabilities then without further notice.
- If you consider a bug, weakness and/or (security) vulnerability I
reported to you not as (security) vulnerability I
usually disclose it immediately.
- If you decline to fix a bug, weakness and/or (security)
vulnerability I reported to you I usually disclose it immediately.
- I expect that you assign or request a
CVE®
identifier for every security vulnerability I report to you and
notify me when done.
- I usually set a disclosure date 45 days after the initial bug,
weakness and/or (security) vulnerability report.
- If you can't meet this initial deadline and need more time to
provide a fix or inform your customers I will grant an extension
of the initial deadline if you provide convincing arguments to me.
- If the set deadline expires I usually disclose the bugs, weaknesses
and/or (security) vulnerabilities then without further notice.
- I expect regular progress and/or status updates, especially if you
can't meet the (initial or extended) deadline.
- If you don't send progress and/or status updates on your own I will
eventually request them from you.
- If you don't reply to a progress and/or status update request
within one week I usually disclose the bugs, weaknesses and/or
(security) vulnerabilities then without further notice.
- I usually disclose the bugs, weaknesses and/or (security)
vulnerabilities once you provide a fix or publish a (security)
advisory or bulletin.
Copyright © 1995-2017 • Stefan Kanthak •
<skanthak@nexgo.de>