While discussing Coordinated Vulnerability Disclosure I often experience that people strongly focus on coordinating the vulnerability information with organizations, while the disclosure part is often ignored or even actively discouraged. The last blog I wrote here was actually about a company that argued I had agreed to an enforceable non-disclosure agreement just by visiting their website and reporting a breach. Like my other CVD-related posts, this too is mainly focussed on lessons about t...
