logo_kerberos.gif

Vulnerability response/Prerelease notification policy

From K5Wiki
Jump to: navigation, search

This page represents a proposed policy of the MIT Kerberos project.

Disclaimers

The MIT Kerberos Team makes an effort to follow this policy as closely as possible. Specific situations may require the MIT Kerberos Team to deviate from this policy in order to manage risk.

Notification list

The MIT Kerberos Team maintains a private contact list of vendors who receive detailed prerelease notification of software security vulnerabilities. To reduce risk, membership on this list is on a need-to-know basis. Prerelease vulnerability information is confidential, and must be sent only through encrypted channels.

Interested vendors should provide the MIT Kerberos Team with PGP keys for encrypting communications.

Notification list eligibility

Only actual vendor organizations are eligible to be on the prerelease notification list. Typically, only vendor organizations which ship products derived from MIT Kerberos are eligible, but some vendors of non-MIT implementations may be contacted for protocol issues or when some part of their implementation is likely to be substantially similar to the MIT implementation. End-user organizations are not eligible. Coordination bodies are also not eligible. Vendor organizations must indicate which components of MIT Kerberos they redistribute.

The Technical Director has final authority to determine the membership of the prerelease notification list, and typically delegates this authority to the Security Officer.

Prerelease notification content

The content of prerelease security vulnerability information is generally in the form of a draft security advisory. These draft advisories may include a summary, a detailed description of the vulnerability, CVSS score, and patches. If available, CVE identifiers and CERT VU numbers are included. The prerelease information also includes a proposed timeline for public disclosure. Typically vendors receive at least 30 days notice prior to public disclosure when possible.

Vulnerability summary information

Some coordination bodies receive summary information about two weeks prior to public disclosure of a vulnerability. These coordination bodies are encouraged to contact vendors who may not yet be on the prerelease notification list and to instruct these vendors to contact the MIT Kerberos Team directly by encrypted e-mail for details.