Date: Mon, 18 Mar 2024 22:55:46 -0400 (EDT) Message-ID: <1766198776.247.1710816946870@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_246_1370107764.1710816946868" ------=_Part_246_1370107764.1710816946868 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
You may want to review our Vulne= rability Disclosure Policy. In brief, we generally target publication o= f details of the vulnerability we reported to you 45 days after our initial= contact attempt. Since our goal is a safe internet for users, we do allow = some negotiation on the timeline; feel free to contact us and discuss your = concerns. Likewise, we may disclose earlier than initially reported if we b= elieve there is significant evidence of current exploit of this vulnerabili= ty.
After reviewing the vulnerability report submitted, you can respond by s= ending an email to cert@cert.org. When doing so, be sure to include you= r VU# in the subject line, so that our automated system can route your resp= onse to the analyst handling your case. If you forget to add the VU# to the= subject line of your response email, our response may be delayed significa= ntly.
We recommend encrypting your response email to cert@cert.org with the= CERT/CC's PGP public key, in order to= maintain privacy until the public disclosure date. For more information on= using PGP or obtaining the CERT/CC's PGP key, please see Sending Sensitive Information.
To fully communicate with the CERT/CC in a secure manner, we need your o= rganization's most up-to-date contact information, including your own PGP p= ublic key. To update your information with us, please see Updating Vendor Con= tact Information.
Typically, we would like the following questions answered in your organi= zation's response:
If you require extra information from the CERT/CC before a determination= can be made, please feel free to contact us. The best way to do so is to s= end an email to cert@cert.org with your VU# in the subject line, asking = for more information. You may also call our phone number during business ho= urs and an analyst will follow up with your message.
We may also be able to arrange conference calls with analysts, or use ot= her communication methods if requested.
After 45 days or another agreed upon timeline, we publish Vulnerability = Notes on our website http://www.kb.cert.org/vuls/ to disclose th= e vulnerability and information on addressing the vulnerability if availabl= e.
We welcome Vendor Statements on any Vulnerability Note, even if the Note= is already published. The Vendor Statement can consist of any statement or= information you wish; we will copy this statement verbatim into our publis= hed Vulnerability Note. To send a Vendor Statement, please email us at cert@= cert.org with the VU# of the vulnerability in the subject line, and inc= lude you statement in the body of the email. This email should be PGP signe= d by your organization's key so we may verify its authenticity.
If you discover a vulnerability that might affect more products than jus= t your own (for example, you find a vulnerability in a widely-used open sou= rce library), please feel free to reach out to us to coordinate with all ve= ndors at once.
We can keep your organization anonymous when coordinating with other ven= dors.