Responsible disclosure of vulnerabilities is a key aspect of security research. Often, the difficulty in responsible disclosure is balancing competing interests – assisting a vendor with patching their product and notifying the general public to prevent a 0-day situation. It is uncomfortable to acknowledge that if a white hat team has discovered a vulnerability in a high value target, it stands to reason their adversaries may also be trying to exploit the same issue. Researchers must carefully balance the needs and capabilities of vendors to fix a product with the safety and security of our customers and the community as a whole.
Talos has been measuring the timelines, industry responsiveness, and end results with regard to our responsible disclosure policy and today, we are announcing a few changes. The full text of the Vendor Vulnerability Reporting and Disclosure Policy can be found here:
http://www.cisco.com/c/en/us/about/security-center/vendor-vulnerability-policy.html. These changes include timeline adjustments based on vendor feedback and industry changes since we last addressed our Disclosure Policy.