The finder is not required to participate in this step.
Timeframe
Setting a timeframe for delivery of a remedy is critical due to the risk to which that the
finder and, in all probability, other users are exposed. The vendor is expected to produce
a remedy to the flaw within 30 days of acknowledging the VSR. Although time is a top
priority, ensuring that a thorough, accurate remedy is developed is equally important.
The fix must solve the problem and not create additional flaws that will put both parties
back in the same situation in the future. When notifying the finder of the target date for
its release of a fix, the vendor should also include the following supporting information:
??? A summary of the risk that the flaw imposes
??? The technical details of the remedy
??? The testing process
??? Steps to ensure a high uptake of the fix
The 30-day timeframe is not always strictly followed, because the OIS documentation
outlines several factors that should be contemplated when deciding upon the release
date of the fix. One of the factors is ???the engineering complexity of the fix.??? The fix will
take longer if the vendor identifies significant practical complications in the process. For
example, data validation errors and buffer overflows are usually flaws that can be easily
recoded, but when the errors are embedded in the actual design of the software, then the
vendor may actually have to redesign a portion of the product.
Pages:
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183