A security vulnerability is a flaw within a software system that can cause it to work contrary to its documented design and could be exploited to cause the system to violate its documented security policy or function.
The purpose of a Security Advisory is to provide information that assists the general public in understanding a security vulnerability, the products and versions it affects, steps required for "reproduction" of the discovered vulnerability and the steps that can be taken to defend affected systems and networks against it.
A Security Advisory may contain, but is not limited to the following:
Terms and Abbreviations
The Finder may, at its discretion,
The Vendor may, at its discretion,
The Finder discovers what they consider to be a security vulnerability (the Potential Flaw), validates the findings, and prepares a report (Security Advisory) describing the Potential Flaw.
The discovery of this Potential Flaw occurs but not limited to:
The Finder notifies the Vendor and advises him of the Potential Flaw. The Vendor must confirm that he has received the notification.
The Vendor shall report one of the following to the Finder:
If the Vendor's investigation confirms that the Flaw exists, the Vendor shall advise the Finder of its plans for addressing the issue.
NOTE: If a third party publicly discloses the Flaw before the release date agreed to by the Finder and Vendor, or if the Flaw comes under active exploitation, then the Finder or Vendor may immediately release its Security Advisory.
In a coordinated fashion, the Vendor and the Finder publicly release information about the vulnerability, along with its resolution. If the Vendor chooses to release its remedy independently, it shall inform the Finder of its decision, and shall exercise reasonable efforts to provide ample lead time before doing so.
During the first fourteen (14) calendar days after the release of a Security Advisory to the Vendor, the Vendor and Finder restrict the release of supplementary data in the interest of giving users time to protect their systems, and share it only with people or organizations associated with defending systems against the vulnerability, protecting critical infrastructures, law enforcement, and so forth. Once this grace period expires, the supplementary data can be distributed as each party deems. If no Vendor response is received within seven (7) calendar days the Finder shall release any and / or all information it deems necessary to fulfill it's safe notification to the general public.
NOTE: These timelines shall be doubled ( 28 and 14 days ) for Open Source developers and those products covered under the GNU GENERAL PUBLIC LICENSE or any other free software license.
The Vendor shall exercise reasonable efforts to make the notification available to all users who might be affected, provide information that assists users in determining whether they are using an affected version of the product, and provide information that assists users in minimizing the risk the Potential Flaw poses to their systems.
The Vendor shall include information such as:
As discussed in Notification above, the Finder and Vendor should act in concert to simultaneously release their advisories after a remedy is available. However, if a third party publicly discloses the vulnerability before the remedy's release date, or if the vulnerability comes under active exploitation, it may be necessary to act separately. Even in this case, however, it is important to avoid exacerbating an already bad situation.