Both sides must consent to the use of this independent
body and agree upon the selection process.
If all efforts have been made and the finder and vendor are still not in agreement,
either side can elect to exit the process. Again, the OIS strongly encourages both sides to
consider the protection of computers, the Internet, and critical infrastructures when
deciding how to release vulnerability information.
Validation
The validation phase involves the vendor reviewing the VSR, verifying the contents, and
working with the finder throughout the investigation. An important aspect of the validation
phase is the consistent practice of updating the finder on the status of the investigation.
The OIS provides some general rules regarding status updates:
??? Vendor must provide status updates to the finder at least once every seven
business days, unless another arrangement is agreed upon by both sides.
??? Communication methods must be mutually agreed upon by both sides.
Examples of these methods include telephone, e-mail, or an FTP site.
??? If the finder does not receive an update within the seven-day window, it should
issue a Request for Status (RFS).
??? The vendor then has three business days to respond to the RFS.
Pages:
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177