https://github.com/jlleitschuh/vulnerability-disclosure-best-practices

https://github.com/jlleitschuh/vulnerability-disclosure-best-practices

Last synced: 5 months ago
JSON representation

• Host: GitHub
• URL: https://github.com/jlleitschuh/vulnerability-disclosure-best-practices
• Owner: JLLeitschuh
• License: cc0-1.0
• Created: 2021-01-27T22:48:40.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2021-02-18T13:36:28.000Z (over 5 years ago)
• Last Synced: 2025-02-13T10:21:41.103Z (over 1 year ago)
• Size: 7.81 KB
• Stars: 4
• Watchers: 3
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Vulnerability Disclosure Best Practices

> From a security researchers perspective, it's infinitely simpler to just drop an 0-day blog post on twitter, then dump the research on MITRE, Snyk, and WhiteSource and let them deal with issuing advisories.

>

> By privately disclosing a security vulnerability to an organization, a security researcher is offering respect, not only to the organization, but more importantly to the users of that organizations software.

>

> \- Jonathan Leitschuh

*This document is not intended to convery legal advice!*

## Best practice #1: Have a Disclosure Policy

As a security researcher, when disclosing a security vulnerability to an organization, having an established and up-front disclosure policy is important.

This disclosure policy should be clearly stated in the intial email contact and should have a well-defined disclosure deadline.

### Why

### Examples

 - [Google Disclosure Policy](https://www.google.com/about/appsecurity/)

 - [GitHub Security Lab](https://securitylab.github.com/advisories#policy)

 

---

## Resources

 - [Google Project Zero: Vulnerability Disclosure FAQ](https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html)