Home | Blog | Contact

Responsible Disclosure List

Recently I became enamored by the concept of Responsible Disclosure. After reading up on the topic, I began digging at what various companies are doing on this particular topic. Unfortunately I found that this information was extremely hard to come by. Information on points of contact, disclosure policies, and various other bits are well fragmented.

I also searched for some sort of database or website on the topic and I was only met by other websites or blogs that noted how hard it was to find information on the topic. The only standard I found on the topic was a draft IETF document from May 2002 which was never ratified. IETF did ratify RFC 2142 which noted that companies should maintain a security@example.com mailbox for the purpose of "Security bulletins or queries." Unfortunately most companies either do not know about this RFC or simply choose to not follow it.

To help solve this issue, I've put together a comprehensive list of various "Responsible Disclosure" webpages for various vendors, companies, and organizations that post their information publicly. I plan on hosting and maintaining the document perpetuity.

Responsible Disclosure List

If you discover any errors or would like to include your organization's information, all I ask is that you contact me with the relevant pieces of information to update.

Recommendations for companies

From forming the list above I've come up with a non-exhaustive list of recommendations to companies that are thinking about posting policies publicly.

Recommendation for researchers

If you're thinking about reporting a vulnerability to a company on the list, I'd recommend that you:

I hope I was able to cover this topic in some level of detail that was useful to you my dear reader. If you have a question or would like me to clarify something, feel free to reach out to me.