Slide 8
Slide 8 text
Responsible Disclosure
• Also known as Coordinated / Private Disclosure
• There is no standard definition on the process, but it’s generally agreed that the researcher should
• Discreetly reach the software vendor with the details of the issue
• Allow the vendor to acknowledge the flaw, develop a fix, test it, and publish a patch within a
reasonable timeline
• Publish the issue details to the public
• Some vendors heavily disencourage this
• Most vendors agree to issuing some identifier for a security issue (e.g. CVE)
• If the vendor does not respond to contact or fails to acknowledge the issue
• The researcher has no choice but to publish the details to inform users (as in full disclosure)
8 | © 2019 Palo Alto Networks. All Rights Reserved.