As of October 2000, the CERT Coordination Center (CERT/CC) brought in a new policy regarding the disclosure to the public of vulnerability information. According to the CERT/CC, vulnerabilities reported to them will be revealed to the public 45 days after the initial report is made, regardless of the availability of patches. Extenuating circumstances, the new policy states—such as active exploitation, threats of a very serious nature, or situations requiring changes to an established standard—could result in an amended disclosure period.

Because the purpose of the new policy is to balance the publicÂ’s need to be informed with the vendorÂ’s need to respond effectively and efficiently to worms and viruses, CERT/CCÂ’s final decision on when to publish the information will be based on the best interests of the community. According to this policy, vulnerabilities reported to the CERT/CC are transmitted to the affected vendors as soon as possible after the initial report is received; confidentiality of the source is maintained.

See Also: Exploit; Vulnerabilities of Computers; Worm.