Policy on Security vulnerabilities discovered by Larry W. Cashdollar

v1.0

Once I have found a vulnerability in a software vendor's product the following steps will be taken:

I will keep any communication confidential regarding the vulnerability until the completion of the disclosure process.
I will attempt to contact the appropriate product vendor by email.
I will provide the vulnerability details to the vendor.
I will assign a CVE number to the vulnerability if the software vendor is not a Mitre CVE CNA themselves.

If the vendor is unresponsive for more than two weeks the vulnerability will be disclosed via public email lists, blog posts, and social media.
Once the vendor has responded we can negotiate a disclosure timetable together. I generally like to keep public disclosures under 90 days after discovery.
This advisory will be made available to the general public possibly in a blog post and social media.