The traditional process for responsible disclosure
when a hacker finds a vulnerability is to allow all stakeholders to agree to a period of time for the vulnerability to be patched before details are published.
This vulnerability, as well as other critical issues in SAP Afaria, was planned to be presented at the BlackHat APAC security conference in March, but the presentation was revoked by ERPScan because of responsible disclosure
Cost-effective and far faster than standard security testing programs, Bugcrowd also provides a range of responsible disclosure
and managed service options that allow companies to commission a customized security testing program that fits their specific requirements.
HP Security Research Zero Day Initiative (ZDI) Leads industry in responsible disclosure
programs, delivering advanced vulnerability protection to customers through HP TippingPoint DVLabs
Jiang did not provide full technical details of the flaw, citing responsible disclosure
issues, although he did describe the vulnerability as difficult to detect but easy to exploit, once found.
Microsoft is attempting to reshape responsible disclosure
by security researchers, announcing a new model that it says could provide a more coordinated response to zero-day vulnerabilities.
The sections entitled "Deposit Accounts" have also been revised to discuss this interagency guidance, which was issued to assist banks in the responsible disclosure
and administration of their overdraft-protection programs.
ISS has a responsible disclosure
policy of not publicizing vulnerabilities until the affected vendor issues a fix or 30 days elapse without response.
First, under the Ashcroft memorandum, agencies making decisions on discretionary disclosure are directed to carefully consider such fundamental values as national security, effective law enforcement, and personal privacy; the Reno memorandum had established an overall "presumption of disclosure" and promoted discretionary disclosures to achieve "maximum responsible disclosure
In addition to paid bounty programs, the infographic details which companies have implemented unpaid bug hunting or responsible disclosure
Foo Kune and his group have contacted AT 'n' T and Nokia with low-cost techniques that could be implemented without changing the hardware, and are in the process of drafting responsible disclosure
statements for cellular service providers.
Microsoft also discussed the new policy of coordinated vulnerability disclosure - a reframing of responsible disclosure
- and introduced new tools and guidance that will improve online security for customers.