vendor-researcher relationship

Security and IT Industry Leaders Form Organization for Internet Safety - Creation of OIS

2002/09/26 : "OIS [The Organization for Internet Safety] was formed to make it easier for security researchers and vendors to work together to fix security vulnerabilities. Today, there are no agreed-upon processes for handling security vulnerabilities." (see : ...Read more

Schneier - Crypto-Gram March 15, 2002

2002/03/15 : Schneier published his monthly newsletter.
Schneier gives this time a summary of the vulnerabilitiy disclosure actual issues.

"The history of the vulnerability's discovery and publication is an interesting story, and illustrates the...Read more

Microsoft Vulnerability Disclosure

Announcing Coordinated Vulnerability Disclosure (Microsoft)
Coordinated Vulnerability Disclosure at Microsoft
Coordinated Vulnerability Disclosure: Bringing Balance to the Force (Microsoft)
Coordinated Vulnerability Disclosure: From Philosophy to Practice (Microsoft)
Coordinated Vulnerability Disclosure Reloaded (Microsoft)
Microsoft Vulnerability Research Advisories
Microsoft Says No to Paying Bug Bounties (Fisher paper)
Heart of Blue Gold – Announcing New Bounty Programs (Microsoft)
Filling A Gap In the Vulnerability Market – First Bounty Notification (Microsoft)
Schneier - Crypto-Gram November 15, 2001

2001/11/15 : Schneier published his monthly newsletter.
He talks about Cert/CC creation and reacts here on Culp essay

"[Culp] claimed that we'd all be a lot safer if researchers would keep details about vulnerabilities to themselves, and stop arming...Read more

NIAC VULNERABILITY DISCLOSURE FRAMEWORK

2004/01/13 : The National Infrastructure Advisory Concil published in January 2004 their Final report and recommendations on vulnerability disclosure.

"The NIAC reached consensus that the nation’s interests are advanced by a commitment by all stakeholders in...Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

Is the iDefense challenge worth it? (Chickowski paper)

2006/02/23 : Ericka Chickowski writes upon iDefense rewards and their way of working with enterprises and hackers. 

This artifact is part of the iDefense Bundle...Read more

No more free bugs for software vendors (Fisher paper)

2009/03/23 : Dennis Fisher highlights the end of free vulnerability disclosure.

"It appears that the free ride is over for software vendors."Read more

Google Vulnerability Report

Google Security Reward - 2015 Year in Review
Google to Pay For Bugs Found in Chromium (Threat post)
Google Ups the Bug Bounty Ante to $3133.7 (Threat post)
Google Open Source Vulnerabilities (OSV)
Google Project Zero

2015/02/13 : "Project Zero has adhered to a 90-day disclosure deadline. Now we are applying this approach for the rest of Google as well. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a...Read more

Coordinated Vulnerability Disclosure Reloaded (Microsoft)

2011/04/19 : Microsoft reloaded its Coordinate Vulnerability Disclosure.

This artifact is part of the Microsoft Vulnerability Disclosure Bundle.Read more

'Responsible Disclosure' Draft Could Have Legal Muscle - Rasch on Christey and Wysopal draft

2002/03/11 : Rasch analyses Christey and Wysopal IETF Draft.

"The report articulates what many in the security industry have considered to be a reasonable method of reporting security vulnerabilities." (p.1) 

This artifact is part of the...Read more

Subscribe to vendor-researcher relationship
Need help with PECE?
Join the PECE Slack channel