M. Eastern time. The maintainer must respond within five days, which would
be 7 A.M. Pacific time five days later. An auto-response to the originator??™s e-mail
is not considered sufficient contact. If the maintainer does not establish contact
within the allotted time, the originator is free to disclose the information. Once
contact has been made, decisions on delaying disclosures should be discussed
between the two parties. The RFP policy warns the vendor that contact should
be made sooner rather than later. It reminds the software maker that the finder
of the problem is under no requirement to cooperate, but is simply being asked
to do so in the best interests of all parties.
??? The originator should make every effort to assist the vendor in reproducing
the problem and adhering to its reasonable requests. It is also expected that the
originator will show reasonable consideration if delays occur, and if the maintainer
shows legitimate reasons why it will take additional time to fix the problem.
Both parties should work together to find a solution.
??? It is the responsibility of the vendor to provide regular status updates every five
days that detail how the vulnerability is being addressed. It should also be
noted that it is solely the responsibility of the vendor to provide updates, and
not the responsibility of the originator to request them.
Pages:
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168