![[LWN Logo]](/images/lcorner.png) |
|
![[Timeline]](/images/Included.png) |
Date: Tue, 3 Oct 2000 20:03:34 -0400
Subject: New CERT/CC Vulnerability Disclosure Policy
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
I thought readers of this list may find our new vulnerability
disclosure policy interesting.
Effective October 9, 2000, the CERT Coordination Center will follow a
new policy with respect to the disclosure of vulnerability
information. All vulnerabilities reported to the CERT/CC will be
disclosed to the public 45 days after the initial report, regardless
of the existence or availability of patches or workarounds from
affected vendors. Extenuating circumstances, such as active
exploitation, threats of an especially serious (or trivial) nature, or
situations that require changes to an established standard may result
in earlier or later disclosure. Disclosures made by the CERT/CC will
include credit to the reporter unless otherwise requested by the
reporter. We will apprise any affected vendors of our publication
plans, and negotiate alternate publication schedules with the affected
vendors when required.
It is the goal of this policy to balance the need of the public to be
informed of security vulnerabilities with the vendors' need for time
to respond effectively. The final determination of a publication
schedule will be based on the best interests of the community overall.
More information can be found at
http://www.cert.org/faq/vuldisclosurepolicy.html
Thanks,
Shawn
Shawn Hernan
Vulnerability Handling Team Leader
CERT/CC
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQCVAwUBOdp0egYcfu8gsZJZAQE/qAP8DdakGWrvKYukVYxLwnFFsBZS1z1Ne7T3
e127+fzV4ePQzGup81kwgcTJIXuhn9DR1ENEHcD81MmVCIwRWq9eTSKjKHb6hI+4
LHRWpXqK+lwEax6mUqg7z7hCVlsZtOlVwbG2uwXbmhZ+omMNbqoQJXrMmP5yZLJx
1LPciSCzQys=
=P98e
-----END PGP SIGNATURE-----