Under this
Gray Hat Hacking: The Ethical Hacker??™s Handbook
52
Chapter 3: Proper and Ethical Disclosure
53
PART I
model, strict policies are enforced upon the vendor if it wants the situation to remain
confidential. The details of the policy follow:
??? The issue begins when the originator (the reporter of the problem) e-mails the
maintainer (the software vendor) with the details of the problem. The moment
the e-mail is sent is considered the date of contact. The originator is responsible
for locating the appropriate contact information of the maintainer, which can
usually be obtained through its website. If this information is not available,
e-mails should be sent to one or all of the addresses shown next.
The common e-mail formats that should be implemented by vendors include:
security-alert@[maintainer]
secure@[maintainer]
security@[maintainer]
support@[maintainer]
info@[maintainer]
??? The maintainer will be allowed five days from the date of contact to reply to the
originator. The date of contact is from the perspective of the originator of the
issue, meaning if the person reporting the problem sends an e-mail from New
York at 10 A.M. to a software vendor in Los Angeles, the time of contact is 10
A.
Pages:
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167