responsible_disclosure_process.md

responsible_disclosure_process.md

Responsible Disclosure Process

1. Discovery

   • A flaw has been found. The researcher must discover if a vulnerability has been reported or patched, ensure it can be reproduced consistently, and ensure it impacts the default configuration.

   • Output - Vulnerability Summary Report (VSR)

2. Notification

   • The discoverer submits hist contact information as well as the VSR to the vendor referenceing the vendors security policy. These details are sent to the address listed inits security policy or to one of the standard email addresses laid out in the OIS standard. The vendor must respond to this step.

3. Validation

   • The vendor researches and validates the vulnerability. Regular status updates to the reporter are suggested during this phase.

4. Findings

   • Once the vendor finishes its investigation, it confirms, disproves or indicates inconclusive findintgs. The vendor is required to demonstrate research was done and typically meets this requirement by providing lists of products, versions, and tests performed.

5. Resolution

   • If a flaw is inconclusive or is disproven, the weakness may be made public. If it is confirmed, the vendor typically has 30 days to issue a patch or fix.

6. Release

   • The remedy is released as well as the notification.