Now In
Papers, etc.
About C&J
Canola & Jones > On-going Projects > Disclosure Procedure


Disclosure Procedure
Rev. 00 (Protocol 04)

The following procedure is applied when a vulnerability in a product or public network service is found:
A.  Generally, the procedures recommended by CVE (http://cve.mitre.org) are followed.
B.  If there is no NDA-protected information involved, this procedure is used.
If there is an NDA, the NDA is honored.
C.  The process is intended to receive either a CVE number, or a tracking number/notice from the vendor, or a fix, or some combination of these.
This is the process we prefer to use:
C.1.  A C&J case number is assigned.
C.2.  The vendor (or designated implementation team aka "vendor/DI team") is notified through their standard security notification procedure. Should there be no procedure, one documented final effort will be made to notify the vendor, and then CVE will be notified anyway.
C.3.  The vendor/DI team will be asked for a CVE number as part of their response, if they have their own CVE number pool.
C.4.  The day the vendor/DI team is notified, a 30 day timer is started. If there is no vendor response within that time, or the vendor responds that they do not feel this reported vulnerability is a problem, then CVE may be contacted for a number anyway.


Copyright © 2003-2005