Overview
This Code of Conduct documents the expectations for users of VINCE and coordinated vulnerability disclosure processes lead by the CERT/CC.
Code of Conduct
(go look for and reference a good one?)
FIRST ethics reference somewhere on this page?
https://www.first.org/global/sigs/ethics/ethics-first
The design of VINCE corresponds to the having participants/reporters and vendors in closer comms. The CERT/CC is no longer acting as email proxy and mailing list (approval) moderator. We expect participants to be professional and respectful. Disagreement is OK, personal jibes are not. Participants can edit or delete their own messages. CERT/CC can edit? or delete any messages. We only expect to edit/delete/moderate when needed.
Be responsive
Embargo
CERT/CC policy is 45 days after notifying vendor. pointer to disclosure policy. In practice, this is almost always negotiated among case participants. We expect participants to follow the embargos. If you prematurely disclose, we expect you to inform us, if possible before the disclosure. IOW, it's better that the group know an early disclosure is coming than be surprised. We'd prefer that embargo dates are kept.
Field in vince on case.
Vendor Statement
We expect/request vendors to provide status/be responsive