<<< Date Index >>>     <<< Thread Index >>>

Re: Vendor guidelines regarding security contacts



Researchers and vendor contacts should also be aware of the great vendor
dictionary created by OSVDB at http://osvdb.org/vendor_dict.php that
contains many security contact addresses.

-Chris

On Mon, 8 Jan 2007, Steven M. Christey wrote:

>
> We frequently see requests for contact on this mailing list.  Readers
> are encouraged to ensure that their software vendors are aware of the
> following documents, which have more specific guidelines for vendors
> to establish.  Because these documents have been co-authored by major
> organizations, they might provide more leverage for researchers who
> have difficulty in reaching unresponsive or uninterested vendors.
> Whether you subscribe to the whole "responsible disclosure" process or
> not, presumably most of us agree that it's important for vendors to be
> easily reachable.
>
> - Steve
>
>
> The US Department of Homeland Security's "Vulnerability Disclosure
> Framework" document here:
>
>   http://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
>
> lays out some recommendations for how vendors can make their security
> POC's more available (see Figure 2 as well as "Reporting Mechanism" in
> section 6.)
>
> The Organization for Internet Safety's web site Security Vulnerability
> Reporting and Response Process document has similar recommendations,
> e.g.
>
>   5.1.3 The Vendor shall post information for contacting it to one or
>       more publicly accessible locations. The Vendor.s security
>       response policy shall indicate where this information is posted,
>       or provide the contact information itself.
>   5.1.4 The Vendor.s posted contact information shall, at a minimum,
>         include:
>   . A reference to the Vendor.s posted security response policy.
>   . A listing of the contact methods the Vendor supports.
>   . Contact instructions for each of the methods listed above.
>   . Instructions for using the secured communication channel discussed
>         in paragraph 5.1.8 below, along with any needed cryptographic
>         key material.
>   5.1.5 The Vendor shall exercise reasonable efforts to ensure that
>         misdirected mails to the following email addresses can be
>         re-routed to the appropriate point of contact:
>   . abuse@[vendor_domain]
>   . postmaster@[vendor_domain]
>   . sales@[vendor_domain]
>   . info@[vendor_domain]
>   . support@[vendor_domain]
>
> Those are from
> http://www.oisafety.org/guidelines/Guidelines%20for%20Security%20Vulnerability%20Reporting%20and%20Response%20V2.0.pdf
>
>
> The site even has an implementation guide:
>
>   http://www.oisafety.com/reference/implement.pdf
>
>
>
> - Steve
>