Initiating a Coordinated Vulnerability Disclosure Case
Sometimes, the hardest part of CVD is getting started. You might know about a vulnerability, but not know how to reach the vendor. Or you might be having trouble getting the vendor to respond. This section provides some advice on how to get the ball rolling.
-
Reporting a vulnerability requires that the vulnerability is well-documented. This typically means providing high-quality and actionable information to the vendor or coordinator.
-
Making initial contact with a vendor can sometimes be more difficult than it should be.
-
Sometimes, even when you can find contact informaiont for the vendor, not all vendors have established processes for receiving vulnerability reports.
-
As a vendor, it is important to not treat reporters with suspicion or hostility. It's likely they have important information about your product, and they want to share it with you.