Introduction

Releasing vulnerability advisories is an all-time discussed problem with many different attitudes. Every policy has its own advantages and disadvantages, but I really like CERT’s 45-day policy. So I have adopted their policy with some small changes and use it for my own disclosure processes.

Assignment Process

Unfortunately MITRE have changed their CVE assignment process dramatically recently, resulting in less-known applications not being assigned with CVEs anymore. I think that is an inappropriate move, which forces me to use alternatives. Therefore every new disclosure will contain an identifier like RCESEC-YEAR-NUMBER, plus a CVE (in case one is assigned).

Notification Process

In this phase the vendor will be initially notified about the discovery on different ways including a preset public disclosure date. The notification might already include the vulnerability details, which however depends on the contact possibilities offered initially. It does usually also include an initial deadline, which is set 14 days after the time of the first notification. During this 14 days the vendor will be contacted multiple times on multiple ways to make sure the notification is received.

Disclosure Process

If the vendor does not respond to the notifications until the initial deadline ends, the vulnerability will be disclosed immediately. I decided to take this really hard first deadline for one simple reason: In 95% of my previous coordination attempts, a vendor who does not respond within the first 14 days, likely won’t respond at all. If the vendor responds the initial deadline will be extended to the 45 days final deadline. While working on the issue until the final deadline, I do expect regular status updates on the issues. If there is none, the vulnerability will be made public after 45 days regardless of the state of the fix. If the vendor has however a very good explanation or the vulnerability affects a wide range of users and/or systems, the deadline might be extended.
As soon as either the initial or final deadline ends the details of the vulnerability will be made public depending on the relationship between RCE Security and the vendor (e.g. previously negotiated NDA due to active contracts). The disclosure happens across various places, amongst them are: Full-Disclosure and Bugtraq. Since I do believe in maximum transparency and effective ways for administrators and penetration testers to test vulnerable systems, I will also publish either a Proof-of-Concept or an exploit alongside a blog article on this blog.

Summary

The advisory will be immediately published using the Full-Disclosure and Bugtraq mailing – lists, either when:
  • 14-Days initial deadline ends: The vendor does not respond to any of the initial notifications.
  • 45-Days final deadline ends: The vendor does not meet the final disclosure date without an extension.
  • An official update is released by the vendor.
  • A third party publishes an advisory on the same issue.
  • The vendor hasn’t responded to multiple, previous coordination attempts.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.