Releasing vulnerability information is an all-time discussed topic with many different attitudes. Every policy has advantages and disadvantages, but I like CERT’s 45-day policy. So I have adopted their policy with minor changes and used it for my disclosure process.
The advisory will be immediately published using the Full-Disclosure mailing list either when:
- The 14-Days initial deadline ends: The vendor does not respond to any of the initial notifications or does not acknowledge the vulnerability.
- The 45-Days final deadline ends: The vendor needs an extension to meet the last disclosure date.
- The vendor releases an official update.
- A third party publishes an advisory on the same issue.
- The vendor hasn’t responded to multiple previous coordination attempts.
Every new disclosure will be assigned an official CVE identifier (as per MITRE).
In this phase, the vendor will be initially notified about the vulnerability. The notification might already include the vulnerability details. However, this ultimately depends on the contact possibilities offered by the vendor. It usually contains a preset disclosure date, which is set 14 days after the first notification.
If the vendor responds to the notification(s) or only acknowledges the vulnerability once the initial deadline ends, the vulnerability will be disclosed immediately. I decided to take this strict first deadline for a straightforward reason: In 95% of my previous coordination attempts, a vendor who did not respond within the first 14 days likely won’t respond.
If the vendor responds, the initial deadline can be extended to the 45-days final deadline. While working on the issue until the final deadline, I expect regular status updates on the report. If there is none, the vulnerability will be made public after 45 days, regardless of its state.
However, the deadline might be extended if the vendor has a good explanation or the vulnerability affects a wide range of users or systems.
As soon as the initial or final deadline ends, the vulnerability details will be made public depending on the relationship between RCE Security and the vendor (e.g., previously negotiated NDA due to active contracts). The primary places for public disclosure are this blog and the Full-Disclosure mailing list.
Since I believe in maximum transparency and effective ways for administrators and penetration testers to test vulnerable systems, I will also publish either a Proof-of-Concept or an exploit alongside a blog article.