Page History

...

Whatever the issue is in the context of a vulnerability disclosure, lawyers alone are rarely the right answer. Cease-and-desist letters tend to backfire as described in Section 6.8.

Responding with legal threats can have negative public relations effects in the long term for vendors as well:

...

We have outlined a variety of ways in which the CVD process might not go as smoothly as you'd like, whether you are a finder, reporter, vendor, coordinator, or deployer. When problems arise that you're not prepared to handle, or even if you just need a quick opinion on what to do next, there are a number of coordinating organizations available to help. These include the following:

• CERT/CC
• national National CSIRTs that handle CVD cases
• JPCERT/CC
• NCSC-FI
• NCSC-NL
• larger Larger vendors (Google, Microsoft, etc.)
• bug Bug bounty operators (BugCrowd, HackerOne, etc.)

...