================================ 
Vulnerability Disclosure Process 
================================

Last updated: 16-Jul-2006
Revision:     1.0
Author:       Tobias Klein (tk at trapkit.de)

The vulnerability disclosure process is divided into four phases:

  (1) Vendor Notification 
  (2) Upcoming Advisory 
  (3) Public Disclosure 
  (4) Accelerated Disclosure

When I discover a vulnerability I use the following process for vendor 
notification and public disclosure:

(1) Vendor Notification 

During this phase, the vendor is officially notified of the 
vulnerability. An initial draft advisory is passed to the vendor for 
detailed discussion.

(2) Upcoming Advisory

I reserve the right to release general information about the 
vulnerability, including vendor, description and affected applications 
or operating systems to the public.

Technical information necessary to replicate the vulnerability will 
not be released to the public.

This information will be provided under the following URL: 

  http://www.trapkit.de/advisories/

(3) Public Disclosure

Once the vendor has successfully addressed the vulnerability by 
releasing a patch and/or workaround information, I reserve the right 
to release a final advisory to numerous reputable and approved 
security mailing lists.

(4) Accelerated Disclosure

I reserve the right to accelerate the publication of the vulnerability 
information at any time. For example, disclosure might be accelerated 
if one or more of the following events occur:

- The vendor issues a patch or announcement regarding the 
  vulnerability. 
  
- An in-depth discussion of the vulnerability appears on a public 
  mailing list. 

- Active exploitation of any form related to the vulnerability is 
  observed on the Internet. 

- I receive evidence from reliable sources that an exploit is 
  available in the wild. 

- The vulnerability is reported by the media. 

- The vendor becomes unresponsive.


This process may change from time to time and I disclaim any 
obligation to provide notice of changes.