Policy on Security vulnerabilities discovered by Larry W. Cashdollar
Once I have found a vulnerability in a software vendor's product the following steps will be taken:
If the vendor is unresponsive for more than two weeks the vulnerability will be disclosed via public email lists, blog posts, and social media.
- I will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
- I will attempt to contact the appropriate product vendor by email.
- I will provide the vulnerability details to the vendor.
- I will assign a CVE number to the vulnerability if the software vendor is not a Mitre CVE CNA themselves.
Once the vendor has responded we can negotiate a disclosure timetable together. I generally like to keep public disclosures under 90 days after discovery.
This advisory will be made available to the general public possibly in a blog post and social media.