The RFCR is basically a final
warning to the vendor stating that a vulnerability has been found, a notification has been
sent, and a response is expected. The RFCR should also include a copy of the original VSR
that was sent previously. The vendor will be given three days to respond.
If the finder does not receive a response to the RFCR in three business days, it can
move forward with public notification of the software flaw. The OIS strongly encourages
both the finder and the vendor to exercise caution before releasing potentially dangerous
information to the public. The following guidelines should be observed:
??? Exit the communication process only after trying all possible alternatives.
??? Exit the process only after providing notice to the vendor (RFCR would be
considered an appropriate notice statement).
??? Reenter the process once any type of deadlock situation is resolved.
The OIS encourages, but does not require, the use of a third party to assist with communication
breakdowns. Using an outside party to investigate the flaw and to stand
between the finder and vendor can often speed up the process and provide a resolution
that is agreeable to both parties. A third party can consist of security companies, professionals,
coordinators, or arbitrators.
Pages:
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176