A Responsible Disclosure policy is intended to offer a best practice way for parties that find security vulnerabilities to disclose them to affected/vulnerable parties and developers. It allows a period of time within which all parties agree to not publish details of the vulnerability so that a fix may be crafted, distributed and applied to all parties at risk.
This is modelled on the CERT process
where 45 days from the date of (private) disclosure a full public disclosure of the vulnerability takes place, irrespective of whether a fix has been created in the intervening time.
This process is governed/run by the Technical Management Committee1
or an appointed party. The appointed party will:
- Maintain a list of known production installations of the software (ie. systems at risk) and contact points for these systems (preferably at least two people/positions).
- Act as a contact point for parties that wish to responsibly disclose issues they find during testing.
- Contact the list of affected systems and all developers currently actively contributing to the system and notify them of the bug, along with any fixes that are developed in response. Contact methods need to ensure that details remain guarded until past the 45-day deadline.
- Act as a co-ordination point for anyone developing fixes and affected parties, including ongoing communication regarding timelines.
- 45 days from the date of original disclosure, will publish the details (with or without a fix... but hopefully always 'with') to the list.
The primary contact for the responsible disclosure of security vulnerabilities is: firstname.lastname@example.org