[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200701081949.l08JnuMp011203@faron.mitre.org>
Date: Mon, 8 Jan 2007 14:49:56 -0500 (EST)
From: "Steven M. Christey" <coley@...re.org>
To: bugtraq@...urityfocus.com
Subject: Vendor guidelines regarding security contacts
We frequently see requests for contact on this mailing list. Readers
are encouraged to ensure that their software vendors are aware of the
following documents, which have more specific guidelines for vendors
to establish. Because these documents have been co-authored by major
organizations, they might provide more leverage for researchers who
have difficulty in reaching unresponsive or uninterested vendors.
Whether you subscribe to the whole "responsible disclosure" process or
not, presumably most of us agree that it's important for vendors to be
easily reachable.
- Steve
The US Department of Homeland Security's "Vulnerability Disclosure
Framework" document here:
http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
lays out some recommendations for how vendors can make their security
POC's more available (see Figure 2 as well as "Reporting Mechanism" in
section 6.)
The Organization for Internet Safety's web site Security Vulnerability
Reporting and Response Process document has similar recommendations,
e.g.
5.1.3 The Vendor shall post information for contacting it to one or
more publicly accessible locations. The Vendor.s security
response policy shall indicate where this information is posted,
or provide the contact information itself.
5.1.4 The Vendor.s posted contact information shall, at a minimum,
include:
. A reference to the Vendor.s posted security response policy.
. A listing of the contact methods the Vendor supports.
. Contact instructions for each of the methods listed above.
. Instructions for using the secured communication channel discussed
in paragraph 5.1.8 below, along with any needed cryptographic
key material.
5.1.5 The Vendor shall exercise reasonable efforts to ensure that
misdirected mails to the following email addresses can be
re-routed to the appropriate point of contact:
. abuse@[vendor_domain]
. postmaster@[vendor_domain]
. sales@[vendor_domain]
. info@[vendor_domain]
. support@[vendor_domain]
Those are from
http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf
The site even has an implementation guide:
http://www.oisafety.com/reference/implement.pdf
- Steve
Powered by blists - more mailing lists