Policy on Security vulnerabilities discovered by Larry W. Cashdollar


Once I have found a vulnerability in a software vendor's product the following steps will be taken:

If the vendor is unresponsive for more than two weeks the vulnerability will be disclosed via public email lists, blog posts, and social media.
Once the vendor has responded we can negotiate a disclosure timetable together. I generally like to keep public disclosures under 90 days after discovery.
This advisory will be made available to the general public possibly in a blog post and social media.