[olug] Re: New CERT/CC Vulnerability Disclosure Policy

John Kennedy jkennedy at orent.com
Wed Oct 4 14:40:14 UTC 2000 

Aaaahhh the reach of M$...
John

Shawn Hernan wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> 
> Hello,
> 
> I thought readers of this list may find our new vulnerability
> disclosure policy interesting.
> 
> Effective October 9, 2000, the CERT Coordination Center will follow a
> new policy with respect to the disclosure of vulnerability
> information. All vulnerabilities reported to the CERT/CC will be
> disclosed to the public 45 days after the initial report, regardless
> of the existence or availability of patches or workarounds from
> affected vendors. Extenuating circumstances, such as active
> exploitation, threats of an especially serious (or trivial) nature, or
> situations that require changes to an established standard may result
> in earlier or later disclosure. Disclosures made by the CERT/CC will
> include credit to the reporter unless otherwise requested by the
> reporter. We will apprise any affected vendors of our publication
> plans, and negotiate alternate publication schedules with the affected
> vendors when required.
> 
> It is the goal of this policy to balance the need of the public to be
> informed of security vulnerabilities with the vendors' need for time
> to respond effectively. The final determination of a publication
> schedule will be based on the best interests of the community overall.
> 
> More information can be found at
> 
>         http://www.cert.org/faq/vuldisclosurepolicy.html
> 
> Thanks,
> Shawn
> 
> Shawn Hernan
> Vulnerability Handling Team Leader
> CERT/CC
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 6.5.1i
> 
> iQCVAwUBOdp0egYcfu8gsZJZAQE/qAP8DdakGWrvKYukVYxLwnFFsBZS1z1Ne7T3
> e127+fzV4ePQzGup81kwgcTJIXuhn9DR1ENEHcD81MmVCIwRWq9eTSKjKHb6hI+4
> LHRWpXqK+lwEax6mUqg7z7hCVlsZtOlVwbG2uwXbmhZ+omMNbqoQJXrMmP5yZLJx
> 1LPciSCzQys=
> =P98e
> -----END PGP SIGNATURE-----

-- 
John Kennedy
UNIX System Administrator
Orent Graphics
402-733-6400 Ext 266

---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net

More information about the OLUG mailing list