| The
following procedure is applied when a vulnerability in a product
or public network service is found: |
| A. |
Generally,
the procedures recommended by CVE (http://cve.mitre.org) are followed. |
| B. |
If
there is no NDA-protected information involved, this procedure
is used.
If there is an NDA, the NDA is honored. |
| C. |
The
process is intended to receive either a CVE number, or a tracking
number/notice from the vendor, or a fix, or some combination
of these. |
|
This
is the process we prefer to use: |
| C.1. |
A
C&J case number is assigned. |
| C.2. |
The
vendor (or designated implementation team aka "vendor/DI
team") is notified through their standard security notification
procedure. Should there be no procedure, one documented
final effort will be made to notify the vendor, and then CVE
will be notified anyway. |
| C.3. |
The
vendor/DI team will be asked for a CVE number as part of their
response, if they have their own CVE number pool. |
| C.4. |
The
day the vendor/DI team is notified, a 30 day timer is started.
If there is no vendor response within that time, or the vendor
responds that they do not feel this reported vulnerability
is a problem, then CVE may be contacted for a number anyway. |
Canola & Jones > On-going Projects > Disclosure Procedure