Vulnerability Disclosure Policy
Vulnerabilities of any kind reported to JOAN CROSS INFOSYSTEMS will be disclosed to the public 45 days from the initial report, irrespective of the availability of patches or solution workarounds from the vendors whose technology solution is impacted. In the event of extenuating circumstances, for example, an active exploitation, threats of an especially serious (or trivial) nature, or a circumstance that require modification to an laid down standard may result in earlier or later disclosure. Disclosures made by JOAN CROSS INFOSYSTEMS will include giving credit to the reporter unless otherwise requested by the reporter to not do so. We will keep in the loop all and any affected technology vendor(s) of our publication intentions, schedule and discuss or negotiate alternate publication schedules with the affected technology vendor(s) when required.
The objective of this policy is to strike a balance between the need of the public to be informed and abreast of security vulnerabilities with technology vendors’ need for adequate time to succinctly respond to the vulnerabilities. The final determination of a publication schedule will be based on the best interests of the society in the overall.
Vulnerabilities that have been reported to us will be forwarded to the affected technology vendors as quickly as practicable after we receive the report. The name and contact information of the reporter will be forwarded to the affected vendors unless otherwise requested by the reporter not to do so. We will advise the reporter of significant changes in the status of any vulnerability he or she reported to the extent possible without revealing information provided to us in confidence.
Vulnerabilities will be disclosed in Vulnerability Notes.
Frequently Asked Questions
Q: Why not 30 days, or 15 days, or immediately?
A: We think that 45 days can be a pretty tough deadline for a large organization to meet. Making it shorter won’t realistically help the problem. In the absence of evidence of exploitation, gratuitously announcing vulnerabilities may not be in the best interest of public safety.
Q: Wouldn’t it be better to keep vulnerabilities quiet if there isn’t a fix available?
A: Vulnerabilities are routinely discovered and disclosed, frequently before vendors have had a fair opportunity to provide a fix, and disclosure often includes working exploits. In our experience, if there is not responsible, qualified disclosure of vulnerability information then researchers, programmers, system administrators, and other IT professionals who discover vulnerabilities often feel they have no choice but to make the information public in an attempt to coerce vendors into addressing the problem.
Q: Will all vulnerabilities be disclosed within 45 days?
A: No. There may often be circumstances that will cause us to adjust our publication schedule. Threats that are especially serious or for which we have evidence of exploitation will likely cause us to shorten our release schedule. Threats that require “hard” changes (changes to standards, changes to core operating system components) will cause us to extend our publication schedule. We may not publish every vulnerability that is reported to us.
Q: Will you surprise vendors with announcements of vulnerabilities?
A: No. Prior to public disclosure, we’ll make a good faith effort to inform vendors of our intentions.
Q: If a vendor disagrees with your assessment of a problem, will that information be available?
A: Yes. We solicit and post authenticated vendor statements and reference relevant vendor information in vulnerability notes. We will not withhold vendor-supplied information simply because it disagrees with our assessment of the problem.
Q: Who gets the information prior to public disclosure?
A: Generally, we provide the information to anyone who can contribute to the solution and with whom we have a trusted relationship, including vendors (often including vendors whose products are not vulnerable), community experts, sponsors, and sites that are part of a national critical infrastructure, if we believe those sites to be at risk.
Q: Do you disclose every reported vulnerability?
A: No. We may, at our discretion, decline to coordinate or publish a vulnerability report. This decision is generally based on the scope and severity of the vulnerability and our ability to add value to the coordination and disclosure process. Whether or not we coordinate or publish, we recommend that the reporter make a good faith effort to notify and work directly with the affected vendor prior to public disclosure.