• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Page 1
Vulnerability notification Workflow [ Vendor ]
DRAFT
Version 0.5
 –
Author: Thierry Zoller - Website: http://blog.zoller.lu
1. Check to wether the information received is complete, try to determine
all
affected products2.1 Reply to sender and acknowledge receipt.
Inform sender of next steps
2.2 Inform respective product teams and stake holders
 –
Demand to reproduce the bug.3.1
Inform sender
of the state of reproducibility and of next steps3.2. Request further info from the product teams such as details, impact and products affected.
Vulnerability notification isreceived
12
Inform respective productteams and stakeholders
3Steps
NotifyNotifyNotify4.Internal classification and estimation. Is the condiction exploitable ? What versions areaffected, how long will it take to develop / test a patch, is there a possibility to mitigate ?5.Inform researcher of patch timeline , sent basic information to support department includingpossible mitigations
54
Inform supportdepartment
6
Notify6. Sent researcher date of publication of the adisory in order to coordindate disclosure,coordinate Website update.7. Push update to customers, notify customers of update. Publish advisory to Bugtraq etc.
Asessement of ITWpublic usage of flaw
  D  R A  F  T
 
Page 2
Vulnerability notification Workflow [ Vendor ]
Version 0.5
 –
Thierry Zoller http://blog.zoller.lu
Work out an internal vulnerability notification handling policy that works with yourdevelopment processes (Spiral, Agile, etc)Create e-mail adresses to receive reports (security@company.com)Enter contact data into the OSVDB Vendor database (Link)Create a security notification page on website with PGP key and a checklist of whatdata you need from researchers.
Prerequisites Checklist
Stakeholders need to be informed of this policyTemplates of responses to researcher and internal templatesTicketing system for the security@ mail adress and responsible parties
To keep in mind
The researcher works for free, nonetheless he took the time to notify you and may even be willing towithold the information until you has patched. Treat him accordingly.
Always stay polite, do not enter into personal discussions,
you might be quoted in the advisoryIn a negative way,
sometime portraying your statements as company statements „company x said“
.
  D  R A  F  T
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...