[17038] in bugtraq
New CERT/CC Vulnerability Disclosure Policy
daemon@ATHENA.MIT.EDU (Shawn Hernan)
Wed Oct 4 02:12:09 2000
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-ID: <921774.3179592214@centerfield.blue.cert.org>
Date: Tue, 3 Oct 2000 20:03:34 -0400
Reply-To: Shawn Hernan <svh@cert.org>
From: Shawn Hernan <svh@cert.org>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
I thought readers of this list may find our new vulnerability
disclosure policy interesting.
Effective October 9, 2000, the CERT Coordination Center will follow a
new policy with respect to the disclosure of vulnerability
information. All vulnerabilities reported to the CERT/CC will be
disclosed to the public 45 days after the initial report, regardless
of the existence or availability of patches or workarounds from
affected vendors. Extenuating circumstances, such as active
exploitation, threats of an especially serious (or trivial) nature, or
situations that require changes to an established standard may result
in earlier or later disclosure. Disclosures made by the CERT/CC will
include credit to the reporter unless otherwise requested by the
reporter. We will apprise any affected vendors of our publication
plans, and negotiate alternate publication schedules with the affected
vendors when required.
It is the goal of this policy to balance the need of the public to be
informed of security vulnerabilities with the vendors' need for time
to respond effectively. The final determination of a publication
schedule will be based on the best interests of the community overall.
More information can be found at
http://www.cert.org/faq/vuldisclosurepolicy.html
Thanks,
Shawn
Shawn Hernan
Vulnerability Handling Team Leader
CERT/CC
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQCVAwUBOdp0egYcfu8gsZJZAQE/qAP8DdakGWrvKYukVYxLwnFFsBZS1z1Ne7T3
e127+fzV4ePQzGup81kwgcTJIXuhn9DR1ENEHcD81MmVCIwRWq9eTSKjKHb6hI+4
LHRWpXqK+lwEax6mUqg7z7hCVlsZtOlVwbG2uwXbmhZ+omMNbqoQJXrMmP5yZLJx
1LPciSCzQys=
=P98e
-----END PGP SIGNATURE-----
