vulnerability disclosure policy

Atlantic Council - It takes a village: How hacktivity can save your company

2018 : Atlantic Council release its comic It takes a village: How hacktivity can save your company.

"Sandra’s story aims to promote a better understanding of CVD practices among policymakers and business leaders, as well as address the misperception of CVD as a catch-all solution...Read more

Rebooting Responsible Disclosure: a focus on protecting and users

2010/07/20 : The Google authors give arguments to show why responsible disclosure is not always efficient. They propose to give a 60 days to the vendors to fix bugs disclosed before the vulnerabilities become public.Read more

Threat Complexity Requires New Levels of Collaboration - Stone and Moussouris on the creation of MSVR

2008/08 : Microsoft create the Microsoft Vulnerability Research Program (MSVR).Read more

Vulnerability Disclosure FAQ (Project Zero)

2019/07/31 : Here is the Project Zero FAQ. 

This artifact is part of the Google Project Zero Bundle.Read more

ENISA Report - Economics of Vulnerability Disclosure

2018/12 : ENISA (European Union Agency for Cybersecurity) release its Economics of Vulnerability Disclosure Report.

"Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or services that can be exploited....Read more

THE PRICE OF RESTRICTING VULNERABILITY PUBLICATIONS (Granick Article)

2005 : "Part One of this paper explains the current state of computer (in)security and sets forth three ways to restrict publications followed by the most common arguments for and against. It then illustrates the popularity of security publication restrictions with an ...Read more

Vulnerabilities Equities Policy and Process for the United States Government

2017/11/15 : "[T]he White House released a charter on the vulnerability equities policy outlining how the federal government will alert private companies to cybersecurity flaws or refrain for intelligence purposes." (...Read more

MS says stop discussing hack exploits - Leyden paper

2001/10/18 : Leyden explains Culp essay.

This artifact is part of the Culp debate Bundle.Read more

Google 7-days disclosure

2013/05/29 : Google agreed for 7-days to fix critical vulnerabilities. 

"Based on our experience, however, we believe that more urgent action -- within 7 days -- is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that...Read more

ISO/IEC 29147:2014

2014/02 : "ISO/IEC 29147:2014 gives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure." (see : https...Read more

Subscribe to vulnerability disclosure policy