The OIS designed a report guideline, known as a vulnerability summary
report (VSR), that is used as a template to properly describe the issues. The VSR
includes the following components:
??? Finder??™s contact information
??? Security response policy
??? Status of the flaw (public or private)
??? Whether the report contains confidential information
??? Affected products/versions
??? Affected configurations
??? Description of flaw
??? Description of how the flaw creates a security problem
??? Instructions on how to reproduce the problem
Notification
The next step in the process is contacting the vendor. This is considered the most important
phase of the plan according to the OIS. Open and effective communication is the
key to understanding and ultimately resolving the software vulnerability. The following
are guidelines for notifying the vendor.
The vendor is expected to do the following:
??? Provide a single point of contact for vulnerability reports.
??? Post contact information in at least two publicly accessible locations, and
include the locations in its security response policy.
??? Include in contact information:
??? Reference to the vendor??™s security policy
??? A complete listing/instructions for all contact methods
??? Instructions for secure communications
??? Make reasonable efforts to ensure that e-mails sent to the following formats are
rerouted to the appropriate parties:
??? abuse@[vendor]
??? postmaster@[vendor]
??? sales@[vendor]
??? info@[vendor]
??? support@[vendor]
Gray Hat Hacking: The Ethical Hacker??™s Handbook
56
Chapter 3: Proper and Ethical Disclosure
57
PART I
??? Provide a secure communication method between itself and the finder.
Pages:
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174