...
- Cloudstack Vulnerabilty Response Procedure (another similar page for Cloudstack)
- Mozilla Vulnerability Response Procedure
- IETF Draft Responsible Vulnerability Disclosure Process
...
Zero Day Response Model
- Cleaning up and automating the build and publishing process to enable releases to be cut quickly by whoever is available.
- No "grace periods" or "private discussions"; publicly discuss asap.
- Ideally set up a conference call to initiate discussion on how to resolve the issue and to assign responsibilities.
- Set up a secure communication channel for security advisories and notifications. Perhaps update a public websites.
Current process:
- Don't open JIRA Issues
- Don't open pull requests; do a direct commit
- Cut the security releases including release notes.
- Community Notification
- After announcement, create JIRA's.
- Three possibilities:
- No grace period - Everyone knows before people can patch + poeople who follow many projects on bugtraq know right away
- 15 business day grace period - People watching bugtraq will be unhappy with what looks sloppy reporting + Lets adopters try to patch first
- short grace period - People don't really have time to benifit.
- Public disclosure: bugtraq
...