As of October 2000, the CERT Coordination Center (CERT/CC) brought in a new policy regarding the disclosure to the public of vulnerability information. According to the CERT/CC, vulnerabilities reported to them will be revealed to the public 45 days after the initial report is made, regardless of the availability of patches. Extenuating circumstances, the new policy states—such as active exploitation, threats of a very serious nature, or situations requiring changes to an established standard—could result in an amended disclosure period.
Because the purpose of the new policy is to balance the public’s need to be informed with the vendor’s need to respond effectively and efficiently to worms and viruses, CERT/CC’s final decision on when to publish the information will be based on the best interests of the community. According to this policy, vulnerabilities reported to the CERT/CC are transmitted to the affected vendors as soon as possible after the initial report is received; confidentiality of the source is maintained.
Carnegie Mellon University. CERT/CC Vulnerability Disclosure Policy. [Online, 2002.] Carnegie Mellon University CERT Website. http://www.cert.org/kb/vul_ disclosure.html.