Vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. Disclosures made by the CERT/CC will include credit to the reporter unless otherwise requested by the reporter. We will apprise any affected vendors of our publication plans and negotiate alternate publication schedules with the affected vendors when required.
It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with vendors' need for time to respond effectively. The final determination of a publication schedule will be based on the best interests of the community overall.
Vulnerabilities reported to us will be forwarded to the affected vendors as soon as practical after we receive the report. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter. We will advise the reporter of significant changes in the status of any vulnerability he or she reported to the extent possible without revealing information provided to us in confidence.
Vulnerabilities will be disclosed in Vulnerability Notes.
Q: Does this mean CERT/CC is going "full disclosure?"
A: We will not distribute exploits, if that's what "full disclosure" means. In our experience, the number of people who can benefit from the availability of exploits is small compared to the number of people who are harmed by people who use exploits maliciously. We will, however, disclose information about vulnerabilities that we might not have previously disclosed. Within the limits of our resources, we will publish information about as many vulnerabilities as we can.
Q: Why not 30 days, or 15 days, or immediately?
A: We think that 45 days can be a pretty tough deadline for a large organization to meet. Making it shorter won't realistically help the problem. In the absence of evidence of exploitation, gratuitously announcing vulnerabilities may not be in the best interest of public safety.
Q: Wouldn't it be better to keep vulnerabilities quiet if there isn't a fix available?
A: Vulnerabilities are routinely discovered and disclosed, frequently before vendors have had a fair opportunity to provide a fix, and disclosure often includes working exploits. In our experience, if there is not responsible, qualified disclosure of vulnerability information then researchers, programmers, system administrators, and other IT professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce vendors into addressing the problem.
Q: Will all vulnerabilities be disclosed within 45 days?
A: No. There may often be circumstances that will cause us to adjust our publication schedule. Threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule. Threats that require "hard" changes (changes to standards, changes to core operating system components) will cause us to extend our publication schedule. We may not publish every vulnerability that is reported to us.
Q: Will you surprise vendors with announcements of vulnerabilities?
A: No. Prior to public disclosure, we'll make a good faith effort to inform vendors of our intentions.
Q: If a vendor disagrees with your assessment of a problem, will that information be available?
A: Yes. We solicit and post authenticated vendor statements and reference relevant vendor information in vulnerability notes. We will not withhold vendor-supplied information simply because it disagrees with our assessment of the problem.
Q: Who gets the information prior to public disclosure?
A: Generally, we provide the information to anyone who can contribute to the solution and with whom we have a trusted relationship, including vendors (often including vendors whose products are not vulnerable), community experts, sponsors, and sites that are part of a national critical infrastructure, if we believe those sites to be at risk.
Q: Do you disclose every reported vulnerability?
A: No. We may, at our discretion, decline to coordinate or publish a vulnerability report. This decision is generally based on the scope and severity of the vulnerability and our ability to add value to the coordination and disclosure process. Whether or not we coordinate or publish, we recommend that the reporter make a good faith effort to notify and work directly with the affected vendor prior to public disclosure.