Vulnerability notification Workflow [ Vendor ]

DRAFT Version 0.5 – Author: Thierry Zoller - Website: http://blog.zoller.lu

Vulnerability notification is Asessement of ITW

received public usage of flaw

Steps
Notify
1. Check to wether the information received is complete, try to determine all affected products
2.1 Reply to sender and acknowledge receipt. Inform sender of next steps
1 2.2 Inform respective product teams and stake holders – Demand to reproduce the bug.
3.1 Inform sender of the state of reproducibility and of next steps

Notify 3.2. Request further info from the product teams such as details, impact and products affected.

Inform respective product

2
teams and stakeholders

Notify

4.Internal classification and estimation. Is the condiction exploitable ? What versions are
affected, how long will it take to develop / test a patch, is there a possibility to mitigate ?
5.Inform researcher of patch timeline , sent basic information to support department including
Notify 4
possible mitigations

Inform support
5
department

6. Sent researcher date of publication of the adisory in order to coordindate disclosure,

coordinate Website update.
6 7. Push update to customers, notify customers of update. Publish advisory to Bugtraq etc.

T
7

AF
D R
Page 1
Vulnerability notification Workflow [ Vendor ]
Version 0.5 – Thierry Zoller http://blog.zoller.lu

Prerequisites Checklist

Work out an internal vulnerability notification handling policy that works with your
development processes (Spiral, Agile, etc)
Stakeholders need to be informed of this policy
Create e-mail adresses to receive reports (security@company.com)
Enter contact data into the OSVDB Vendor database (Link)
Create a security notification page on website with PGP key and a checklist of what
data you need from researchers.
Templates of responses to researcher and internal templates

Ticketing system for the security@ mail adress and responsible parties

To keep in mind
The researcher works for free, nonetheless he took the time to notify you and may even be willing to
withold the information until you has patched. Treat him accordingly.

Always stay polite, do not enter into personal discussions, you might be quoted in the advisory
In a negative way, sometime portraying your statements as company statements „company x said“.

FT
R A
D Page 2
 Real-life examples Templates

Acknowledge receipt

Thanks for reporting this, we'll take a look at it.

Hello Thierry,
I hereby confirm the problem. We have a new stable release (0.95) planned. for March 23 and would like to
coordinate the disclosure with you.

Case Open
Hello Thierry,

Thanks very much for your report. I have opened case [XXXXXXr] and the case manager, X, will be in
touch when there is more information. We appreciate you working with us to help keep our customers
secure from a potential security issue while we investigate it.

Additionally, in order to ensure that Jack receives any future correspondence from you directly please make
sure to copy the following (without the quotation marks) to any subject line of an email that you send
regarding this report: "[xxxxxxxxx]"In the meantime, we ask you respect responsible disclosure guidelines
and not report this publicly until users have an opportunity to protect themselves.

You can review our bulletin acknowledgment policy at http://www.xxxxxx.com/xxxxxx/security/bulletin/

policy.mspx and our general policies and practices at http://www.xxxxxx.com/technet/security/bulletin/info/
msrpracs.mspx. If at any time you have questions or more information, please respond to this message.

Best Regards,
XXXXXXX

FT
R A
D