following procedure is applied when a vulnerability in a product
or public network service is found:
the procedures recommended by CVE (http://cve.mitre.org) are followed.
there is no NDA-protected information involved, this procedure
If there is an NDA, the NDA is honored.
process is intended to receive either a CVE number, or a tracking
number/notice from the vendor, or a fix, or some combination
is the process we prefer to use:
C&J case number is assigned.
vendor (or designated implementation team aka "vendor/DI
team") is notified through their standard security notification
procedure. Should there be no procedure, one documented
final effort will be made to notify the vendor, and then CVE
will be notified anyway.
vendor/DI team will be asked for a CVE number as part of their
response, if they have their own CVE number pool.
day the vendor/DI team is notified, a 30 day timer is started.
If there is no vendor response within that time, or the vendor
responds that they do not feel this reported vulnerability
is a problem, then CVE may be contacted for a number anyway.