Vulnerability notification Workflow [ Vendor

]
DRAFT Version 0.5 – Author: Thierry Zoller - Website: http://blog.zoller.lu

Vulnerability notification is received

Asessement of ITW public usage of flaw

Steps
Notify 1. Check to wether the information received is complete, try to determine all affected products 2.1 Reply to sender and acknowledge receipt. Inform sender of next steps

1

2.2 Inform respective product teams and stake holders – Demand to reproduce the bug. 3.1 Inform sender of the state of reproducibility and of next steps

Notify

3.2. Request further info from the product teams such as details, impact and products affected.

2
Notify

Inform respective product teams and stakeholders

3
4.Internal classification and estimation. Is the condiction exploitable ? What versions are affected, how long will it take to develop / test a patch, is there a possibility to mitigate ? Notify

4

5.Inform researcher of patch timeline , sent basic information to support department including possible mitigations

5

Inform support department

6. Sent researcher date of publication of the adisory in order to coordindate disclosure, coordinate Website update.

6

7. Push update to customers, notify customers of update. Publish advisory to Bugtraq etc.

7

D

T F A R
Page 1

Vulnerability notification Workflow [ Vendor ]
Version 0.5 – Thierry Zoller http://blog.zoller.lu

Prerequisites Checklist
Work out an internal vulnerability notification handling policy that works with your development processes (Spiral, Agile, etc) Stakeholders need to be informed of this policy Create e-mail adresses to receive reports (security@company.com) Enter contact data into the OSVDB Vendor database (Link) Create a security notification page on website with PGP key and a checklist of what data you need from researchers. Templates of responses to researcher and internal templates Ticketing system for the security@ mail adress and responsible parties

To keep in mind
The researcher works for free, nonetheless he took the time to notify you and may even be willing to withold the information until you has patched. Treat him accordingly. Always stay polite, do not enter into personal discussions, you might be quoted in the advisory In a negative way, sometime portraying your statements as company statements „company x said“.

D

T F A R
Page 2

Real-life examples Templates
Acknowledge receipt
Thanks for reporting this, we'll take a look at it.

Hello Thierry, I hereby confirm the problem. We have a new stable release (0.95) planned. for March 23 and would like to coordinate the disclosure with you.

Case Open
Hello Thierry, Thanks very much for your report. I have opened case [XXXXXXr] and the case manager, X, will be in touch when there is more information. We appreciate you working with us to help keep our customers secure from a potential security issue while we investigate it. Additionally, in order to ensure that Jack receives any future correspondence from you directly please make sure to copy the following (without the quotation marks) to any subject line of an email that you send regarding this report: "[xxxxxxxxx]"In the meantime, we ask you respect responsible disclosure guidelines and not report this publicly until users have an opportunity to protect themselves. You can review our bulletin acknowledgment policy at http://www.xxxxxx.com/xxxxxx/security/bulletin/ policy.mspx and our general policies and practices at http://www.xxxxxx.com/technet/security/bulletin/info/ msrpracs.mspx. If at any time you have questions or more information, please respond to this message. Best Regards, XXXXXXX

D

T F A R