Responsible Disclosure Policy
I firmly believe that a coordinated disclosure is the best approach to properly and efficiently address a vulnerability and thus protect a vendor's customers. However, software vendors too often deliberately fail to respond adequately to vulnerability reports, they sometimes don't respect the valuable work made by the researcher and ignore recommendations put forward to them. As a consequence they leave their customers exposed for an irresponsibly long period of time.
The following rules will apply to the procedure of disclosing a software vulnerability:
- I will contact the vendor to ask for his PGP key to be able to send the vulnerability notice in confidence. I expect a response to this first contact within two days.
- If there is no response I will resend the request for a PGP key once, using publicly available contact information of the vendor.
- If the vendor agrees on a publication date for the security advisory I will assist to find a fix for the problem if possible and I will not publish the vulnerability before the vendor has developed a fix that can be published together with the security advisory.
- Unresponsive vendors, or vendors who deny that the vulnerability is a serious problem, will receive the security advisory two weeks prior to its intended publication date.
- Eventually, the vulnerability information will be published when:
- The preset or agreed disclosure date is reached.
- The vendor issues a fix or his own security advisory.
- Information about the vulnerability is published by a third party.
- The vendor indicates that he is unwilling to fix the code.