The RFS is considered a courtesy to the vendor reminding it that it owes the finder an
update on the progress that is being made on the investigation.
Investigation
The investigation work that a vendor undertakes should be thorough and cover all related
products linked to the vulnerability. Often, the finder??™s VSR will not cover all aspects of the
flaw, and it is ultimately the responsibility of the vendor to research all areas that are
affected by the problem, which includes all versions of code, attack vectors, and even
unsupported versions of software if they are still heavily used by consumers. The steps of
the investigation are as follows:
1. Investigate the flaw of the product described in the VSR.
2. Investigate whether the flaw also exists in supported products that were not
included in the VSR.
3. Investigate attack vectors for the vulnerability.
4. Maintain a public listing of which products/versions it currently supports.
Shared Code Bases
In some instances, one vulnerability is uncovered in a specific product, but the basis of
the flaw is found in source code that may spread throughout the industry. The OIS
Gray Hat Hacking: The Ethical Hacker??™s Handbook
58
Chapter 3: Proper and Ethical Disclosure
59
PART I
believes it is the responsibility of both the finder and the vendor to notify all affected
vendors of the problem.
Pages:
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178