Disclosure Policy
-
All membership requirements and responsibilities will be publicly known,
details can be found in the membership page
-
Distribution is determined in two ways, registered
vendors/maintainers and extracted Open Source project contacts
from authoritative resources like
code.google.com/sourceforge/rubyforge/etc where applicable
-
oCERT agrees to keep things moving efficiently, acknowledging that long or
moved embargo dates can have significant impact on vendors, users and open
disclosure and will be avoided where possible
-
All bug/incident timeline and discussion summary will be made
public after an embargo date. The embargo is optional and will be applied only
when considered necessary for appropriate coordination, reports will be released
as early as possible and in any case embargo must not be longer than 2 months
-
The following time frames regulate oCERT embargo proposals:
- 7 days, in case the issue is already well narrowed down and tested, requiring trivial
configuration and/or code change
- 14 days, standard embargo for most cases
- 30 days, in case of critical and complex vulnerabilities (example, trivial exploitation
of administrative privileges on a static library affecting a large number of packages),
and with the agreement of all parties
- under extremely exceptional circumstances, if the oCERT Team and all the parties involved
feel the need for longer time, a 2 months embargo can be applied, in this case we would clearly
document the decision for public review
- in any circumstance reporter preference will always be honoured in case a joint agreement
is not reached, as oCERT would be anyway unable to force its embargo
