TSG Vulnerability Disclosure Policy

Our policy is the following:

Finding and disclosing software flaws, errors, and vulnerabilities can help improve the state of software security. Students in the TSG are tasked with finding such bugs and errors as a way to hone their skills.

The value of this exercise for the student is threefold. First, the student puts into practice the analysis tools and techniques covered in our courses and research. Second, the students nurtures their security mindset by examining code with the intent to violate its expectations about correct execution. Finally, students will gain some practical experience with the ethical and practical considerations involved in the disclosure of real-life flaws.

Users and vendors have a right to be informed of potential bugs, flaws, and vulnerabilities. Our first principle is to be as precise and accurate as possible with the information we develop. Speculation should be clearly separated from the facts of the flaw report description. We will assemble information about the code flaw itself and the conditions under which it can be exercised. We will make a good faith effort to contact vendors to report this information to them ahead of any public disclosure. This contact may include personal email where the vendor is a single person responsible for maintaining the software, but we will seek to report the flaw via the vendor-preferred channels (such as a special security mailing list for the project or product or a bugzilla report). After receiving an acknowlegement from the vendor, we may choose to post a brief, abstract description of the flaw on this web site in terms that generally mimic CERT advisories. We have no obligation to offer a fix or support for the bug.