-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
vipul kumra <vikumar2@yahoo.com> [2005-12-14 11:55] wrote:
Hi,
Could anyone please throw some light on what is the
proper vulnerability disclosure process. Also, are
there any legal implications if this is not done
correctly (ethically). How many days should someone
wait if the company which owns the vulnerable product
doesn't respond back.
Is there a standard way (industry protocol) for
vulnerability disclosure.
Vipul,
There are several:
NIAC Vulnerability Disclosure Framework
http://www.dhs.gov/dhspublic/interweb/assetlibrary/vdwgreport.pdf
OIS
http://www.oisafety.org/guidelines/secresp.html
RFP
http://www.wiretrip.net/rfp/policy.html
- -Mike-
- --
- ----------------------------------------------------------------------
| || || | Mike Caudill <mcaudill@cisco.com> |
| || || | PSIRT Incident Manager |
| |||| |||| | DSS PGP: 0xEBBD5271 |
| ..:||||||:..:||||||:.. | +1.919.392.2855 / +1.919.522.4931 (cell) |
| C i s c o S y s t e m s | http://www.cisco.com/go/psirt |
- ----------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoJRGimPJSeu9UnERAugyAKCZOk2lVLJ8uvK45N8Mb8XjFdXxfgCgoQBA
sEm45Y5RXc3sWMESto/y2dE=
=Y3At
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfoc_ml
----------------------------------------------------------------------------
