At this point, the
finder can move forward in the following ways:
??? Provide code to the vendor that better demonstrates the proposed vulnerability.
??? If no change is established, the finder can move to release their VSR to the
public. In this case, the finder should follow appropriate guidelines on
releasing vulnerability information to the public (covered later in the chapter).
Resolution
In cases where a flaw is confirmed, the vendor must take proper steps to develop a solution.
It is important that remedies are created for all supported products and versions of
the software that are tied to the identified flaw. Although not required by either party,
many times the vendor will ask the finder to provide assistance in evaluating if its proposed
remedy will be sufficient to eliminate the flaw. The OIS suggests the following
steps when devising a vulnerability resolution:
1. Vendor determines if a remedy already exists. If one exists, the vendor should
notify the finder immediately. If not, the vendor begins developing one.
2. Vendor ensures that the remedy is available for all supported products/versions.
3. Vendor may choose to share data with the finder as it works to ensure that the
remedy will be effective.
Pages:
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182