You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Responding to a CERT/CC Vulnerability Notification

Be Familiar With Disclosure Policy

You may want to review our Vulnerability Disclosure Policy. In brief, we generally target publication of details of the vulnerability we reported to you 45 days after our initial contact attempt. Since our goal is a safe internet for users, we do allow some negotiation on the timeline; feel free to contact us and discuss your concerns. Likewise, we may disclose earlier than initially reported if we believe there is significant evidence of current exploit of this vulnerability.

Responding to the CERT/CC

After reviewing the vulnerability report submitted, you can respond by sending an email to cert@cert.org. When doing so, be sure to include your VU# in the subject line, so that our automated system can route your response to the analyst handling your case. If you forget to add the VU# to the subject line of your response email, our response may be delayed significantly.

We recommend encrypting your response email to cert@cert.org with the CERT/CC's PGP public key, in order to maintain privacy until the public disclosure date.

To fully communicate with the CERT/CC in a secure manner, we need your organization's most up-to-date contact information. To update your information with us, please see Updating Vendor Contact Information.

What does the CERT/CC look for in a response?

Typically, we would like the following questions answered in your organization's response:

  • Is this report indicative of a real vulnerability? If not, can you provide details why you do not believe it is a vulnerability?
  • Has this vulnerability already been addressed in a recent or upcoming release?
  • If the vulnerability has not been addressed yet, when might the fix be available?
  • Do you need any further information from the CERT/CC or the reporter in order to address this issue?

If you require extra information from the CERT/CC before a determination can be made, please feel free to contact us. The best way to do so is to send an email to cert@cert.org with your VU# in the subject line, asking for more information. You may also call our phone number during business hours and an analyst will follow up with your message.

We may also be able to arrange conference calls with analysts, or use other communication methods if requested.

 

Coordinating with Other Vendors

If you discover a vulnerability that might affect more products than just your own (for example, you find a vulnerability in a widely-used open source library), please feel free to reach out to us to coordinate with all vendors at once.

We can keep your organization anonymous when coordinating with other vendors.

  • No labels