Professional Documents
Culture Documents
Steps
Notify
1. Check to wether the information received is complete, try to determine all affected products
2.1 Reply to sender and acknowledge receipt. Inform sender of next steps
1 2.2 Inform respective product teams and stake holders – Demand to reproduce the bug.
3.1 Inform sender of the state of reproducibility and of next steps
Notify 3.2. Request further info from the product teams such as details, impact and products affected.
Notify
4.Internal classification and estimation. Is the condiction exploitable ? What versions are
affected, how long will it take to develop / test a patch, is there a possibility to mitigate ?
5.Inform researcher of patch timeline , sent basic information to support department including
Notify 4
possible mitigations
Inform support
5
department
T
7
AF
D R
Page 1
Vulnerability notification Workflow [ Vendor ]
Version 0.5 – Thierry Zoller http://blog.zoller.lu
Prerequisites Checklist
Work out an internal vulnerability notification handling policy that works with your
development processes (Spiral, Agile, etc)
Stakeholders need to be informed of this policy
Create e-mail adresses to receive reports (security@company.com)
Enter contact data into the OSVDB Vendor database (Link)
Create a security notification page on website with PGP key and a checklist of what
data you need from researchers.
Templates of responses to researcher and internal templates
Ticketing system for the security@ mail adress and responsible parties
To keep in mind
The researcher works for free, nonetheless he took the time to notify you and may even be willing to
withold the information until you has patched. Treat him accordingly.
Always stay polite, do not enter into personal discussions, you might be quoted in the advisory
In a negative way, sometime portraying your statements as company statements „company x said“.
FT
R A
D Page 2
Real-life examples Templates
Acknowledge receipt
Hello Thierry,
I hereby confirm the problem. We have a new stable release (0.95) planned. for March 23 and would like to
coordinate the disclosure with you.
Case Open
Hello Thierry,
Thanks very much for your report. I have opened case [XXXXXXr] and the case manager, X, will be in
touch when there is more information. We appreciate you working with us to help keep our customers
secure from a potential security issue while we investigate it.
Additionally, in order to ensure that Jack receives any future correspondence from you directly please make
sure to copy the following (without the quotation marks) to any subject line of an email that you send
regarding this report: "[xxxxxxxxx]"In the meantime, we ask you respect responsible disclosure guidelines
and not report this publicly until users have an opportunity to protect themselves.
Best Regards,
XXXXXXX
FT
R A
D