Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Overview

This Code of Conduct documents the expectations for users of VINCE and coordinated vulnerability disclosure processes lead by the CERT/CC.

Code of Conduct

(go look for and reference a good one?)

FIRST ethics reference somewhere on this page?

https://www.first.org/global/sigs/ethics/ethics-first


2.5. Ethical Considerations


The design of VINCE corresponds to the having participants/reporters and vendors in closer comms. The CERT/CC is no longer acting as email proxy and mailing list (approval) moderator. We expect participants to be professional and respectful. Disagreement is OK, personal jibes are not. Participants can edit or delete their own messages. CERT/CC can edit? or delete any messages. We only expect to edit/delete/moderate when needed.

Be responsive


Embargo

CERT/CC policy is 45 days after notifying vendor. pointer to disclosure policy. In practice, this is almost always negotiated among case participants. We expect participants to follow the embargos. If you prematurely disclose, we expect you to inform us, if possible before the disclosure. IOW, it's better that the group know an early disclosure is coming than be surprised. We'd prefer that embargo dates are kept.

Field in vince on case.


Vendor Statement

We expect/request vendors to provide status/be responsive

  • No labels