Page History
...
Whatever the issue is in the context of a vulnerability disclosure, lawyers alone are rarely the right answer. Cease-and-desist letters tend to backfire as described in Section 6.8.
Responding with legal threats can have negative public relations effects in the long term for vendors as well:
...
We have outlined a variety of ways in which the CVD process might not go as smoothly as you'd like, whether you are a finder, reporter, vendor, coordinator, or deployer. When problems arise that you're not prepared to handle, or even if you just need a quick opinion on what to do next, there are a number of coordinating organizations available to help. These include the following:
- CERT/CC
- national National CSIRTs that handle CVD cases
- JPCERT/CC
- NCSC-FI
- NCSC-NL
- larger Larger vendors (Google, Microsoft, etc.)
- bug Bug bounty operators (BugCrowd, HackerOne, etc.)
...
- What went well?
- What went wrong?
- What could we do differently to improve?
Panel | ||
---|---|---|
| ||
< 6.8 Hype, Marketing, and Unwanted Attention | 6.10 Troubleshooting Coordinated Vulnerability Disclosure Table > |
References
- R. Devendra, "Key Elements of the Sprint Retrospective," 24 April 2014. [Online]. Available: https://www.scrumalliance.org/community/articles/2014/april/key-elements-of-sprint-retrospective. [Accessed 23 May 2017].