Although their ???Security Vulnerability Reporting and Response
Policy??? does not cover detailed instructions on how to engage several affected vendors,
the OIS does offer some general guidelines to follow for this type of situation.
The finder and vendor should do at least one of the following action items:
??? Make reasonable efforts to notify each vendor that is known to be affected by
the flaw.
??? Establish contact with an organization that can coordinate the communication
to all affected vendors.
??? Appoint a coordinator to champion the communication effort to all affected
vendors.
Once the other affected vendors have been notified, the original vendor has the following
responsibilities:
??? Maintain consistent contact with the other vendors throughout the investigation
and resolution process.
??? Negotiate a plan of attack with the other vendors in investigating the flaw. The
plan should include such items as frequency of status updates and
communication methods.
Once the investigation is under way, it is often necessary for the finder to provide
assistance to the vendor. Some examples of the help that a vendor would need include
more detailed characteristics of the flaw, more detailed information about the environment
in which the flaw occurred (network architecture, configurations, and so on), or
the possibility of a third-party software product that contributed to the flaw.
Pages:
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179