CIRCL receives a large number of reports regarding new vulnerabilities in software and hardware products, or often discovers them itself.
The process of responsible vulnerability disclosure is important in order to correct and improve the security of a software or hardware. CIRCL expects reporters, whether they want to be named or to remain anonymous, to provide a complete report of what they discovered and use their PGP key.
CIRCL will be responsible for notifying the vendor about the specific vulnerability. “This notification is the first step and the vendor will then have 30 days to resolve this issue. After this period, the vendor will have to provide CIRCL with an explanation about why the vulnerability wasn’t corrected. In this case, an additional grace period can of course be granted. CIRCL can also support and provide advice whenever needed”, explains Alexandre Dulaunoy from CIRCL.
When the grace period is over, the vendor is expected to communicate about the patches or updates used to correct the vulnerability.
However, if the grace period is over and the vendor’s answer is not acceptable, CIRCL and/or the reporter will publish the information of the vulnerability.
More information and read about the full process: https://www.circl.lu/pub/responsible-vulnerability-disclosure/