Date: Tue, 3 Oct 2000 20:03:34 -0400 Subject: New CERT/CC Vulnerability Disclosure Policy To: BUGTRAQ@SECURITYFOCUS.COM -----BEGIN PGP SIGNED MESSAGE----- Hello, I thought readers of this list may find our new vulnerability disclosure policy interesting. Effective October 9, 2000, the CERT Coordination Center will follow a new policy with respect to the disclosure of vulnerability information. All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. Disclosures made by the CERT/CC will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans, and negotiate alternate publication schedules with the affected vendors when required. It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with the vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall. More information can be found at http://www.cert.org/faq/vuldisclosurepolicy.html Thanks, Shawn Shawn Hernan Vulnerability Handling Team Leader CERT/CC -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOdp0egYcfu8gsZJZAQE/qAP8DdakGWrvKYukVYxLwnFFsBZS1z1Ne7T3 e127+fzV4ePQzGup81kwgcTJIXuhn9DR1ENEHcD81MmVCIwRWq9eTSKjKHb6hI+4 LHRWpXqK+lwEax6mUqg7z7hCVlsZtOlVwbG2uwXbmhZ+omMNbqoQJXrMmP5yZLJx 1LPciSCzQys= =P98e -----END PGP SIGNATURE-----