If the
finder uses encrypted transmissions to send its message, the vendor should
reply in a similar fashion.
??? Cooperate with the finder, even if it chooses to use insecure methods of
communication.
The finder is expected to:
??? Submit any found flaws to the vendor by sending a vulnerability summary
report (VSR) to one of the published points of contact.
??? If the finder cannot locate a valid contact address, it should send the VSR to one
or many of the following addresses:
??? abuse@[vendor]
??? postmaster@[vendor]
??? sales@[vendor]
??? info@[vendor]
??? supports@[vendor]
Once the VSR is received, some vendors will choose to notify the public that a flaw
has been uncovered and that an investigation is under way. The OIS encourages vendors
to use extreme care when disclosing information that could put users??™ systems at risk. It
is also expected that vendors will inform the finder that they intend to disclose the information
to the public.
In cases where the vendor does not wish to notify the public immediately, it still needs
to respond to the finder. After the VSR is sent, the vendor must respond directly to the
finder within seven days. If the vendor does not respond during this period, the finder
should then send a Request for Confirmation of Receipt (RFCR).
Pages:
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175