Google Project Zero's recent tweaking of its vulnerability disclosure window reflects how researchers are taking into account patch adoption when mulling disclosure policies.
On the heels of a September mandate from CISA, 90 percent of cabinet-level agencies have now published a vulnerability-disclosure policy (VDP).
There is still time for security professionals in and out of government to weigh in on CISA's soon-to-be-released directive on how federal agencies should handle vulnerability reports.
Disclose.io provides a clear legal framework to protect organizations and researchers engaged in vulnerability disclosure programs. The goal is to protect those engaged in good-faith security research from legal action.
The disclosure this week of several new vulnerabilities in AMD chips--without any technical details--has again raised concerns about the way some researchers choose to deal with vendors on vulnerability research.