<<< Date Index >>>     <<< Thread Index >>>

Vendor guidelines regarding security contacts



We frequently see requests for contact on this mailing list.  Readers
are encouraged to ensure that their software vendors are aware of the
following documents, which have more specific guidelines for vendors
to establish.  Because these documents have been co-authored by major
organizations, they might provide more leverage for researchers who
have difficulty in reaching unresponsive or uninterested vendors.
Whether you subscribe to the whole "responsible disclosure" process or
not, presumably most of us agree that it's important for vendors to be
easily reachable.

- Steve


The US Department of Homeland Security's "Vulnerability Disclosure
Framework" document here:

  http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf

lays out some recommendations for how vendors can make their security
POC's more available (see Figure 2 as well as "Reporting Mechanism" in
section 6.)

The Organization for Internet Safety's web site Security Vulnerability
Reporting and Response Process document has similar recommendations,
e.g.

  5.1.3 The Vendor shall post information for contacting it to one or
      more publicly accessible locations. The Vendor.s security
      response policy shall indicate where this information is posted,
      or provide the contact information itself.
  5.1.4 The Vendor.s posted contact information shall, at a minimum,
        include:
  . A reference to the Vendor.s posted security response policy.
  . A listing of the contact methods the Vendor supports.
  . Contact instructions for each of the methods listed above.
  . Instructions for using the secured communication channel discussed
        in paragraph 5.1.8 below, along with any needed cryptographic
        key material.
  5.1.5 The Vendor shall exercise reasonable efforts to ensure that
        misdirected mails to the following email addresses can be
        re-routed to the appropriate point of contact:
  . abuse@[vendor_domain]
  . postmaster@[vendor_domain]
  . sales@[vendor_domain]
  . info@[vendor_domain]
  . support@[vendor_domain]

Those are from
http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf


The site even has an implementation guide:

  http://www.oisafety.com/reference/implement.pdf



- Steve