├── COPYING
├── README.md
├── docs
    ├── advisory-process.md
    └── co-ordinated-disclosure-policy.md
└── templates
    ├── advisory.html.xsl
    ├── advisory.md.xsl
    ├── advisory.txt.xsl
    └── advisory.xml


/COPYING:
--------------------------------------------------------------------------------
  1 | Attribution 4.0 International
  2 | 
  3 | =======================================================================
  4 | 
  5 | Creative Commons Corporation ("Creative Commons") is not a law firm and
  6 | does not provide legal services or legal advice. Distribution of
  7 | Creative Commons public licenses does not create a lawyer-client or
  8 | other relationship. Creative Commons makes its licenses and related
  9 | information available on an "as-is" basis. Creative Commons gives no
 10 | warranties regarding its licenses, any material licensed under their
 11 | terms and conditions, or any related information. Creative Commons
 12 | disclaims all liability for damages resulting from their use to the
 13 | fullest extent possible.
 14 | 
 15 | Using Creative Commons Public Licenses
 16 | 
 17 | Creative Commons public licenses provide a standard set of terms and
 18 | conditions that creators and other rights holders may use to share
 19 | original works of authorship and other material subject to copyright
 20 | and certain other rights specified in the public license below. The
 21 | following considerations are for informational purposes only, are not
 22 | exhaustive, and do not form part of our licenses.
 23 | 
 24 |      Considerations for licensors: Our public licenses are
 25 |      intended for use by those authorized to give the public
 26 |      permission to use material in ways otherwise restricted by
 27 |      copyright and certain other rights. Our licenses are
 28 |      irrevocable. Licensors should read and understand the terms
 29 |      and conditions of the license they choose before applying it.
 30 |      Licensors should also secure all rights necessary before
 31 |      applying our licenses so that the public can reuse the
 32 |      material as expected. Licensors should clearly mark any
 33 |      material not subject to the license. This includes other CC-
 34 |      licensed material, or material used under an exception or
 35 |      limitation to copyright. More considerations for licensors:
 36 |     wiki.creativecommons.org/Considerations_for_licensors
 37 | 
 38 |      Considerations for the public: By using one of our public
 39 |      licenses, a licensor grants the public permission to use the
 40 |      licensed material under specified terms and conditions. If
 41 |      the licensor's permission is not necessary for any reason--for
 42 |      example, because of any applicable exception or limitation to
 43 |      copyright--then that use is not regulated by the license. Our
 44 |      licenses grant only permissions under copyright and certain
 45 |      other rights that a licensor has authority to grant. Use of
 46 |      the licensed material may still be restricted for other
 47 |      reasons, including because others have copyright or other
 48 |      rights in the material. A licensor may make special requests,
 49 |      such as asking that all changes be marked or described.
 50 |      Although not required by our licenses, you are encouraged to
 51 |      respect those requests where reasonable. More considerations
 52 |      for the public:
 53 |     wiki.creativecommons.org/Considerations_for_licensees
 54 | 
 55 | =======================================================================
 56 | 
 57 | Creative Commons Attribution 4.0 International Public License
 58 | 
 59 | By exercising the Licensed Rights (defined below), You accept and agree
 60 | to be bound by the terms and conditions of this Creative Commons
 61 | Attribution 4.0 International Public License ("Public License"). To the
 62 | extent this Public License may be interpreted as a contract, You are
 63 | granted the Licensed Rights in consideration of Your acceptance of
 64 | these terms and conditions, and the Licensor grants You such rights in
 65 | consideration of benefits the Licensor receives from making the
 66 | Licensed Material available under these terms and conditions.
 67 | 
 68 | 
 69 | Section 1 -- Definitions.
 70 | 
 71 |   a. Adapted Material means material subject to Copyright and Similar
 72 |      Rights that is derived from or based upon the Licensed Material
 73 |      and in which the Licensed Material is translated, altered,
 74 |      arranged, transformed, or otherwise modified in a manner requiring
 75 |      permission under the Copyright and Similar Rights held by the
 76 |      Licensor. For purposes of this Public License, where the Licensed
 77 |      Material is a musical work, performance, or sound recording,
 78 |      Adapted Material is always produced where the Licensed Material is
 79 |      synched in timed relation with a moving image.
 80 | 
 81 |   b. Adapter's License means the license You apply to Your Copyright
 82 |      and Similar Rights in Your contributions to Adapted Material in
 83 |      accordance with the terms and conditions of this Public License.
 84 | 
 85 |   c. Copyright and Similar Rights means copyright and/or similar rights
 86 |      closely related to copyright including, without limitation,
 87 |      performance, broadcast, sound recording, and Sui Generis Database
 88 |      Rights, without regard to how the rights are labeled or
 89 |      categorized. For purposes of this Public License, the rights
 90 |      specified in Section 2(b)(1)-(2) are not Copyright and Similar
 91 |      Rights.
 92 | 
 93 |   d. Effective Technological Measures means those measures that, in the
 94 |      absence of proper authority, may not be circumvented under laws
 95 |      fulfilling obligations under Article 11 of the WIPO Copyright
 96 |      Treaty adopted on December 20, 1996, and/or similar international
 97 |      agreements.
 98 | 
 99 |   e. Exceptions and Limitations means fair use, fair dealing, and/or
100 |      any other exception or limitation to Copyright and Similar Rights
101 |      that applies to Your use of the Licensed Material.
102 | 
103 |   f. Licensed Material means the artistic or literary work, database,
104 |      or other material to which the Licensor applied this Public
105 |      License.
106 | 
107 |   g. Licensed Rights means the rights granted to You subject to the
108 |      terms and conditions of this Public License, which are limited to
109 |      all Copyright and Similar Rights that apply to Your use of the
110 |      Licensed Material and that the Licensor has authority to license.
111 | 
112 |   h. Licensor means the individual(s) or entity(ies) granting rights
113 |      under this Public License.
114 | 
115 |   i. Share means to provide material to the public by any means or
116 |      process that requires permission under the Licensed Rights, such
117 |      as reproduction, public display, public performance, distribution,
118 |      dissemination, communication, or importation, and to make material
119 |      available to the public including in ways that members of the
120 |      public may access the material from a place and at a time
121 |      individually chosen by them.
122 | 
123 |   j. Sui Generis Database Rights means rights other than copyright
124 |      resulting from Directive 96/9/EC of the European Parliament and of
125 |      the Council of 11 March 1996 on the legal protection of databases,
126 |      as amended and/or succeeded, as well as other essentially
127 |      equivalent rights anywhere in the world.
128 | 
129 |   k. You means the individual or entity exercising the Licensed Rights
130 |      under this Public License. Your has a corresponding meaning.
131 | 
132 | 
133 | Section 2 -- Scope.
134 | 
135 |   a. License grant.
136 | 
137 |        1. Subject to the terms and conditions of this Public License,
138 |           the Licensor hereby grants You a worldwide, royalty-free,
139 |           non-sublicensable, non-exclusive, irrevocable license to
140 |           exercise the Licensed Rights in the Licensed Material to:
141 | 
142 |             a. reproduce and Share the Licensed Material, in whole or
143 |                in part; and
144 | 
145 |             b. produce, reproduce, and Share Adapted Material.
146 | 
147 |        2. Exceptions and Limitations. For the avoidance of doubt, where
148 |           Exceptions and Limitations apply to Your use, this Public
149 |           License does not apply, and You do not need to comply with
150 |           its terms and conditions.
151 | 
152 |        3. Term. The term of this Public License is specified in Section
153 |           6(a).
154 | 
155 |        4. Media and formats; technical modifications allowed. The
156 |           Licensor authorizes You to exercise the Licensed Rights in
157 |           all media and formats whether now known or hereafter created,
158 |           and to make technical modifications necessary to do so. The
159 |           Licensor waives and/or agrees not to assert any right or
160 |           authority to forbid You from making technical modifications
161 |           necessary to exercise the Licensed Rights, including
162 |           technical modifications necessary to circumvent Effective
163 |           Technological Measures. For purposes of this Public License,
164 |           simply making modifications authorized by this Section 2(a)
165 |           (4) never produces Adapted Material.
166 | 
167 |        5. Downstream recipients.
168 | 
169 |             a. Offer from the Licensor -- Licensed Material. Every
170 |                recipient of the Licensed Material automatically
171 |                receives an offer from the Licensor to exercise the
172 |                Licensed Rights under the terms and conditions of this
173 |                Public License.
174 | 
175 |             b. No downstream restrictions. You may not offer or impose
176 |                any additional or different terms or conditions on, or
177 |                apply any Effective Technological Measures to, the
178 |                Licensed Material if doing so restricts exercise of the
179 |                Licensed Rights by any recipient of the Licensed
180 |                Material.
181 | 
182 |        6. No endorsement. Nothing in this Public License constitutes or
183 |           may be construed as permission to assert or imply that You
184 |           are, or that Your use of the Licensed Material is, connected
185 |           with, or sponsored, endorsed, or granted official status by,
186 |           the Licensor or others designated to receive attribution as
187 |           provided in Section 3(a)(1)(A)(i).
188 | 
189 |   b. Other rights.
190 | 
191 |        1. Moral rights, such as the right of integrity, are not
192 |           licensed under this Public License, nor are publicity,
193 |           privacy, and/or other similar personality rights; however, to
194 |           the extent possible, the Licensor waives and/or agrees not to
195 |           assert any such rights held by the Licensor to the limited
196 |           extent necessary to allow You to exercise the Licensed
197 |           Rights, but not otherwise.
198 | 
199 |        2. Patent and trademark rights are not licensed under this
200 |           Public License.
201 | 
202 |        3. To the extent possible, the Licensor waives any right to
203 |           collect royalties from You for the exercise of the Licensed
204 |           Rights, whether directly or through a collecting society
205 |           under any voluntary or waivable statutory or compulsory
206 |           licensing scheme. In all other cases the Licensor expressly
207 |           reserves any right to collect such royalties.
208 | 
209 | 
210 | Section 3 -- License Conditions.
211 | 
212 | Your exercise of the Licensed Rights is expressly made subject to the
213 | following conditions.
214 | 
215 |   a. Attribution.
216 | 
217 |        1. If You Share the Licensed Material (including in modified
218 |           form), You must:
219 | 
220 |             a. retain the following if it is supplied by the Licensor
221 |                with the Licensed Material:
222 | 
223 |                  i. identification of the creator(s) of the Licensed
224 |                     Material and any others designated to receive
225 |                     attribution, in any reasonable manner requested by
226 |                     the Licensor (including by pseudonym if
227 |                     designated);
228 | 
229 |                 ii. a copyright notice;
230 | 
231 |                iii. a notice that refers to this Public License;
232 | 
233 |                 iv. a notice that refers to the disclaimer of
234 |                     warranties;
235 | 
236 |                  v. a URI or hyperlink to the Licensed Material to the
237 |                     extent reasonably practicable;
238 | 
239 |             b. indicate if You modified the Licensed Material and
240 |                retain an indication of any previous modifications; and
241 | 
242 |             c. indicate the Licensed Material is licensed under this
243 |                Public License, and include the text of, or the URI or
244 |                hyperlink to, this Public License.
245 | 
246 |        2. You may satisfy the conditions in Section 3(a)(1) in any
247 |           reasonable manner based on the medium, means, and context in
248 |           which You Share the Licensed Material. For example, it may be
249 |           reasonable to satisfy the conditions by providing a URI or
250 |           hyperlink to a resource that includes the required
251 |           information.
252 | 
253 |        3. If requested by the Licensor, You must remove any of the
254 |           information required by Section 3(a)(1)(A) to the extent
255 |           reasonably practicable.
256 | 
257 |        4. If You Share Adapted Material You produce, the Adapter's
258 |           License You apply must not prevent recipients of the Adapted
259 |           Material from complying with this Public License.
260 | 
261 | 
262 | Section 4 -- Sui Generis Database Rights.
263 | 
264 | Where the Licensed Rights include Sui Generis Database Rights that
265 | apply to Your use of the Licensed Material:
266 | 
267 |   a. for the avoidance of doubt, Section 2(a)(1) grants You the right
268 |      to extract, reuse, reproduce, and Share all or a substantial
269 |      portion of the contents of the database;
270 | 
271 |   b. if You include all or a substantial portion of the database
272 |      contents in a database in which You have Sui Generis Database
273 |      Rights, then the database in which You have Sui Generis Database
274 |      Rights (but not its individual contents) is Adapted Material; and
275 | 
276 |   c. You must comply with the conditions in Section 3(a) if You Share
277 |      all or a substantial portion of the contents of the database.
278 | 
279 | For the avoidance of doubt, this Section 4 supplements and does not
280 | replace Your obligations under this Public License where the Licensed
281 | Rights include other Copyright and Similar Rights.
282 | 
283 | 
284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability.
285 | 
286 |   a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
287 |      EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
288 |      AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
289 |      ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
290 |      IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
291 |      WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
292 |      PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
293 |      ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
294 |      KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
295 |      ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
296 | 
297 |   b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
298 |      TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
299 |      NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
300 |      INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
301 |      COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
302 |      USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
303 |      ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
304 |      DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
305 |      IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
306 | 
307 |   c. The disclaimer of warranties and limitation of liability provided
308 |      above shall be interpreted in a manner that, to the extent
309 |      possible, most closely approximates an absolute disclaimer and
310 |      waiver of all liability.
311 | 
312 | 
313 | Section 6 -- Term and Termination.
314 | 
315 |   a. This Public License applies for the term of the Copyright and
316 |      Similar Rights licensed here. However, if You fail to comply with
317 |      this Public License, then Your rights under this Public License
318 |      terminate automatically.
319 | 
320 |   b. Where Your right to use the Licensed Material has terminated under
321 |      Section 6(a), it reinstates:
322 | 
323 |        1. automatically as of the date the violation is cured, provided
324 |           it is cured within 30 days of Your discovery of the
325 |           violation; or
326 | 
327 |        2. upon express reinstatement by the Licensor.
328 | 
329 |      For the avoidance of doubt, this Section 6(b) does not affect any
330 |      right the Licensor may have to seek remedies for Your violations
331 |      of this Public License.
332 | 
333 |   c. For the avoidance of doubt, the Licensor may also offer the
334 |      Licensed Material under separate terms or conditions or stop
335 |      distributing the Licensed Material at any time; however, doing so
336 |      will not terminate this Public License.
337 | 
338 |   d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
339 |      License.
340 | 
341 | 
342 | Section 7 -- Other Terms and Conditions.
343 | 
344 |   a. The Licensor shall not be bound by any additional or different
345 |      terms or conditions communicated by You unless expressly agreed.
346 | 
347 |   b. Any arrangements, understandings, or agreements regarding the
348 |      Licensed Material not stated herein are separate from and
349 |      independent of the terms and conditions of this Public License.
350 | 
351 | 
352 | Section 8 -- Interpretation.
353 | 
354 |   a. For the avoidance of doubt, this Public License does not, and
355 |      shall not be interpreted to, reduce, limit, restrict, or impose
356 |      conditions on any use of the Licensed Material that could lawfully
357 |      be made without permission under this Public License.
358 | 
359 |   b. To the extent possible, if any provision of this Public License is
360 |      deemed unenforceable, it shall be automatically reformed to the
361 |      minimum extent necessary to make it enforceable. If the provision
362 |      cannot be reformed, it shall be severed from this Public License
363 |      without affecting the enforceability of the remaining terms and
364 |      conditions.
365 | 
366 |   c. No term or condition of this Public License will be waived and no
367 |      failure to comply consented to unless expressly agreed to by the
368 |      Licensor.
369 | 
370 |   d. Nothing in this Public License constitutes or may be interpreted
371 |      as a limitation upon, or waiver of, any privileges and immunities
372 |      that apply to the Licensor or You, including from the legal
373 |      processes of any jurisdiction or authority.
374 | 
375 | 
376 | =======================================================================
377 | 
378 | Creative Commons is not a party to its public
379 | licenses. Notwithstanding, Creative Commons may elect to apply one of
380 | its public licenses to material it publishes and in those instances
381 | will be considered the “Licensor.” The text of the Creative Commons
382 | public licenses is dedicated to the public domain under the CC0 Public
383 | Domain Dedication. Except for the limited purpose of indicating that
384 | material is shared under a Creative Commons public license or as
385 | otherwise permitted by the Creative Commons policies published at
386 | creativecommons.org/policies, Creative Commons does not authorize the
387 | use of the trademark "Creative Commons" or any other trademark or logo
388 | of Creative Commons without its prior written consent including,
389 | without limitation, in connection with any unauthorized modifications
390 | to any of its public licenses or any other arrangements,
391 | understandings, or agreements concerning use of licensed material. For
392 | the avoidance of doubt, this paragraph does not form part of the
393 | public licenses.
394 | 
395 | Creative Commons may be contacted at creativecommons.org.
396 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Welcome
 2 | 
 3 | This project contains a generic copy of the resources historically used by Portcullis Computer Security to manage our Advisory Process prior to our acquisition by Cisco.
 4 | 
 5 | For background, our advisory process was managed by a dedicated vendor liason team who utilise an issue management system to track all of the issues we find from identification through to disclosure.
 6 | 
 7 | You can find further details about our processes in the docs subdirectory. The Co-ordinated Disclosure Policy is intended for public consumption whilst the Advisory Process is expected to have a primarily internal audience.
 8 | 
 9 | Portcullis published our advisories in two main forms, as text based summaries on mailing lists along with a full disclosure of the technical findings on our web site at:
10 | 
11 | * https://www.portcullis-security.com/security-research-and-downloads/security-advisories/
12 | 
13 | To do so we utilised a generic XML schema (advisory.xml) which we could generate from the issue management system along with a number of XSLT templates which ensure constant formatting. We have templates to support text, HTML and markdown based publishing. These files can be found in the templates directory.
14 | 
15 | We are published this toolkit in an attempt to support the community at a time where the whole question of disclosure is again being discussed. Further details of our take on the philosophical debate around disclosure can found at:
16 | 
17 | * https://www.portcullis-security.com/changes-to-the-portcullis-advisories-process/
18 | 
19 | This work is licensed under the Creative Commons Attribution 4.0 International License. You can find a copy of this license at:
20 | 
21 | * http://creativecommons.org/licenses/by/4.0/.
22 | 
23 | Cheers,
24 | 
25 | Tim Brown (@timb_machine)
26 | 
27 | Head Of Research
28 | 
29 | Cisco CX Security Labs
30 | 


--------------------------------------------------------------------------------
/docs/advisory-process.md:
--------------------------------------------------------------------------------
 1 | # Purpose
 2 | 
 3 | [ORGANISATION] follows a model of co-ordinated disclosure where we attempt to work with vendors to resolve any new vulnerabilities that we find. A flow diagram of the process can be found along with this document that gives a high-level view of this process and the people responsible for delivering it. In the event of any problems following this process, the normal management channels should be utilised for escalation.
 4 | 
 5 | This process details how [ORGANISATION] manages the public reporting of security vulnerability information we researched to hardware and software vendors, our customers, and the public. This process intends to enable all parties to understand and address vulnerabilities expeditiously in their environment, minimising the risk that the vulnerability information may pose.
 6 | 
 7 | # Process
 8 | 
 9 | [FOR CLIENT DERIVED VULNERABILITIES: When a new vulnerability is found in the course of a client engagement, it will be reported as we would for any other issue that we might find. For critical vulnerabilities, a notice will be raised whilst for less critical vulnerabilities, the client's first visibility will be when the report is issued. In essence, our existing processes will be followed. Parallel to this, the following steps will also be taken:]
10 | 
11 | Further details can be found in [ORGANISATION]'s Advisory Process Operational Guide.
12 | 
13 | ## Phase 1: Discovery
14 | 
15 | The team member responsible for finding the vulnerability will open a new issue in [ORGANISATION]'s issue management system ([ISSUE TRACKER URL]).
16 | 
17 | ## Phase 2: Notification and acknowledgement
18 | 
19 | [ORGANISATION]'s vendor liaison team will confirm that the bug is actually new by checking, at minimum, the following locations:
20 | 
21 | * OSVDB dictionary;
22 | * CVE search;
23 | * Patch notes/security bulletins/KB articles on vendor website (if applicable);
24 | * A general Google search.
25 | 
26 | If the vulnerability appears to be new based on the checks listed above, the vendor liaison team will then:
27 | 
28 | 1. Check whether the vulnerability was found while working for a client. If this is the case, this will be escalated via normal management channels so that they can, if necessary make the client aware of our advisory disclosure process and the fact that we will be making contact with the vendor of a product they use.
29 | 2. Notify the customer if a vendor does not cooperate and no patch is released, giving them the opportunity to change to a new product or seek alternative mitigation strategies.
30 | 
31 | If it turns out that [ORGANISATION]'s vendor liaison team have never dealt with the vendor concerned, this will be escalated via normal management channels before initiation of vendor contact to confirm that [ORGANISATION] do not have an ongoing dialogue with the affected vendor.
32 | 
33 | In order to initiate a dialogue with the vendor, the following steps to find a contact address should be taken:
34 | 
35 | 1. Vendor web site will be checked for a security/support contact address/form.
36 | 2. OSVDB vendor dictionary checked for contact address.
37 | 3. HackerOne vendor dictionary checked for contact address.
38 | 4. If [ORGANISATION] is not able to identify the appropriate security-related email address for that vendor, an email will be sent to one or more of the following contacts:
39 | 
40 | * security@
41 | * support@
42 | * info@
43 | * admin@
44 | * sales@
45 | * psirt@
46 | 
47 | The purpose of this first email will be to:
48 | 
49 | * Confirm an appropriate vendor contact;
50 | * Establish whether the vendor wishes to use PGP;
51 | * Provide a link to the Co-ordinated Disclosure Policy ([CO-ORDINATED DISCLOSURE POLICY URL]);
52 | * Give the vendor the details of the product and the version affected.
53 | 
54 | It is not expected that this first email will be encrypted, however, reasonable attempts will be made to do so (for example if there has been previous contact with the vendor).
55 | 
56 | ## Phase 3: Pre-disclosure
57 | 
58 | At this stage, [ORGANISATION] will update the public web site containing the list of upcoming advisories to reference the vendor concerned. No details will be provided as to the product or type of vulnerability that has been found.
59 | 
60 | At this point the vulnerability will be referenced by the [ORGANISATION] ID assigned by the issue management system.
61 | 
62 | If the tester who reported the vulnerability requests that there should be no pre-disclosure announcement then this is to be escalated for confirmation. The tester will have to provide sufficient evidence to support why they believe we should not make a pre-diclosure announcement.
63 | 
64 | Once initial contact has been made, or after 30 days have elapsed since the first attempts at contact, the pre-disclosure announcement will be published.
65 | 
66 | Note: The externally facing policy demands an initial response within seven (7) days. This discrepancy in timing is intended to account for unexpected delays in making contact (e.g. weekends, vacation days).
67 | 
68 | ## Phase 4: Validation and resolution
69 | 
70 | [ORGANISATION] expects to be regularly updated as to the progress the vendor has made in resolving the bug. In the event that 30 days pass without vendor contact, we reserve the right to publish at our convenience, in the interest of protecting our customers. When an update is received, this clock will be reset. During this period, it is expected that there may be regular exchanges between the vendor liaison team and the vendor. These exchanges can be handled by any/all members of the vendor liaison team as appropriate.
71 | 
72 | Details of the exchanges will be entered into the issue management system in order that the team member responsible for finding the bug is kept in the loop, and to generate a disclosure timeline for publication. Where necessary, the team member may themselves be asked to provide input into the disclosure process. However, this should not be direct and instead, such exchanges will be mediated by any/all authorised members of the vendor liaison team as appropriate.
73 | 
74 | The issue management system will also be utilised to track the date of last contact so as to allow the triggering of a warning to dictate disclosure in the case of an uncooperative vendor.
75 | 
76 | Once a vendor confirms the validity of the vulnerability, or disclosure is deemed necessary, an external CVE ID will be requested from MITRE (http://www.mitre.org/) by the vendor liaison team in preparation for publishing. In some instances a vendor's PSIRT (Product Security Incident Response Team) may be able to assign a CVE ID on MITRE's behalf. Note: if the vendor is a CVE Numbering Authority (CNA), they should immediately assign a CVE ID upon verification of the issue.
77 | 
78 | ## Phase 5: Release
79 | 
80 | In the event that a uncooperative vendor triggers a disclosure, or that the vendor confirms that the bug reported has been resolved, [ORGANISATION] will then prepare an advisory based on our standard XML format. This will allow easy conversion to both HTML (for consumption by [ORGANISATION]'s web site) and text for distribution to the standard mailing lists.
81 | 
82 | This will need to be prepared within seven (7) days, as the expectation is that full disclosure will occur 14 days after disclosure is mandated, or that the vendor confirms that the bug reported has been resolved.
83 | 
84 | Once the advisory has been completed it will be submitted for QA prior to publishing.
85 | 
86 | Having passed through QA, [ORGANISATION] will update the web site containing the list of advisories to reference the newly created advisory.
87 | 
88 | The advisory will be published. It is expected that in addition to publishing the advisory on the [ORGANISATION] web site, a text only version will be sent to the following email addresses:
89 | 
90 | * bugtraq@securityfocus.com
91 | * fulldisclosure@seclists.org
92 | * vuln@secunia.com
93 | * moderators@osvdb.org
94 | 


--------------------------------------------------------------------------------
/docs/co-ordinated-disclosure-policy.md:
--------------------------------------------------------------------------------
  1 | # Purpose
  2 | 
  3 | [ORGANISATION] follow a model of co-ordinated disclosure where we attempt to work with vendors to resolve any new vulnerabilities that we find. A flow diagram of the process can be found along with this document which gives a high-level view of this process and the people responsible for delivering it. In the event of any problems following this process, the normal management channels should be utilised for escalation.
  4 | 
  5 | This policy details how [ORGANISATION] manages the public reporting of security vulnerability information to computer industry vendors, our customers and the public. [ORGANISATION]'s Co-ordinated Disclosure Policy intends to enable all parties to understand and address vulnerabilities in their environment expeditiously, minimising the risk that the vulnerability poses.
  6 | 
  7 | The goals of the policy are:
  8 | 
  9 | * To assist in the identification and remediation of vulnerabilities in a manner which is effective and efficient for all parties.
 10 | * To minimise the risk to all parties from such vulnerabilities.
 11 | * To provide all parties with information that supports independent corroboration of these vulnerabilities.
 12 | * To provide the security community with the information necessary to learn from these vulnerabilities and thus identify, manage, and reduce the risks of future vulnerabilities in information technology as they occur.
 13 | * To minimise the amount of time and resources that all parties would otherwise be required to spend in order to manage these vulnerabilities.
 14 | * To facilitate long-term research and development of techniques, products, and processes for understanding, avoiding or mitigating security vulnerabilities.
 15 | * To circumvent the antagonism that can sometimes arise in the absence of a formal disclosure policy such as this one.
 16 | 
 17 | # Process
 18 | 
 19 | The basic steps of [ORGANISATION]'s Advisory Process are listed below, further details will be given in the subsequent sections of this document. These steps are aspirational in nature, and while [ORGANISATION] will attempt to follow them and encourages the other parties involved to follow them, there can be no guarantees that differing situations in practice will not affect any part'y's implementation of the process.
 20 | 
 21 | The basic steps are:
 22 | 
 23 | 1. **Discovery:** [ORGANISATION] discovers a security vulnerability ("the bug") either by accident or while working on specific security research.
 24 | 2. **Notification:** and acknowledgement: [ORGANISATION] notifies the vendor of the product that contains the bug ("initial notification"). In turn, the vendor provides [ORGANISATION] with evidence that the initial notification was received ("vendor receipt").
 25 | 3. **Validation:** The vendor tries to verify and validate [ORGANISATION]'s claims ("reproduction").
 26 | 4. **Resolution:** The vendor tries to identify where the bug resides ("diagnosis"). The vendor develops a patch or workaround that eliminates or reduces the risk of the vulnerability ("fix development"). The fix development is then optionally tested by [ORGANISATION] to ensure that the bug has been corrected ("patch testing"). [ORGANISATION] notifies the vendor of the outcome of the patch testing.
 27 | 5. **Release:** In a coordinated fashion, the vendor and [ORGANISATION] publicly release information about the vulnerability, along with its resolution ("advisory"). The vendor may initially release this information to its customers and other organizations with which it may have special relationships.
 28 | 
 29 | The process will be followed by [ORGANISATION]'s vendor liaison team.
 30 | 
 31 | The following describes how the Team intends to operate during each phase of the Advisory Process.
 32 | 
 33 | ## Phase 1: Discovery
 34 | 
 35 | [ORGANISATION] will validate its findings and draft an "initial notification" email. The purpose of this first email will be to:
 36 | 
 37 | * Confirm an appropriate vendor contact;
 38 | * Establish whether the vendor wishes to use PGP;
 39 | * Provide a copy of our co-ordinated disclosure policy;
 40 | * Give the vendor details of the product and version affected.
 41 | 
 42 | At this point details of the vulnerability will be entered into [ORGANISATION]'s issue management system.
 43 | 
 44 | ## Phase 2: Notification and acknowledgement
 45 | 
 46 | Upon internal validation of the potential flaw, [ORGANISATION] will distribute the "initial email" and record the "initial notification" date.
 47 | 
 48 | [ORGANISATION] will utilise external databases such as OSVDBs vendor dictionary as well as the vendors web site to locate a suitable contact.
 49 | 
 50 | If [ORGANISATION] is not able to identify the appropriate security-related email address for that vendor, an email will be sent to one or more of the following contacts:
 51 | 
 52 | * security@
 53 | * support@
 54 | * psirt@
 55 | * info@
 56 | * admin@
 57 | 
 58 | Any other communication channel (e.g. telephone) listed by the vendor would also be acceptable.
 59 | 
 60 | Once the notification has been sent by [ORGANISATION], response will be expected by email ("vendor receipt") from the vendor within 7 days that (a) acknowledges that they have received and read the notification and (b) describes how they intend to engage with [ORGANISATION].
 61 | 
 62 | After receiving a response from the vendor, or where no response is forthcoming [ORGANISATION]' published list of upcoming advisories will be updated to reference the vendor concerned. No details will be provided as to the product or type of vulnerability that has been found. Where no response is provided, [ORGANISATION] may then proceed to Phase 5 at their discretion
 63 | 
 64 | ## Phase 3: Validation
 65 | 
 66 | During this phase, it is anticipated that the vendor will attempt to address the vulnerability ("reproduction"). [ORGANISATION] will provided more detailed information in the manner agreed upon which should allow the correct identification of the code containing the bug.
 67 | 
 68 | The following is a list of suggestions for vendors to ensure that the resolution is satisfactory for their customers. These suggestions are expressed as "should" consistent with [ORGANISATION]'s understanding of good practices at this time:
 69 | 
 70 | 1. If the vulnerability is found in a product which is supported by the vendor ("supported product") then the vendor should:
 71 |   1. Reproduce the vulnerability.
 72 |   2. Determine if there is enough evidence for the existence of the vulnerability if it cannot be reproduced. 
 73 |   3. Determine if the vulnerability is already known (and possibly already resolved).
 74 |   4. Or, work with [ORGANISATION] or other security experts to determine if the vulnerability is related to the specific environment in which it was discovered (including configuration errors or interactions with other products). As resources permit, [ORGANISATION] will help the vendor with the validation phase when requested.
 75 | 2. If the vulnerability is found in an unsupported or discontinued product, the vendor may refuse to validate the vulnerability. However, the vendor should undertake measures to ensure that the reported vulnerability does not exist in supported product versions or other supported products based on the vulnerable product.
 76 | 3. The vendor should examine its product to ensure that it is free of other problems that may be similar to the reported vulnerability. Related vulnerabilities in the same product are often found by others after a specific vulnerability is publicly disclosed. Finding multiple vulnerabilities up front during the validation phase saves the vendor and customers time and money by minimising the need to create and install multiple patches.
 77 | 4. The vendor should provide status updates to [ORGANISATION] every 7 days from initial notification. The vendor and [ORGANISATION] may come to an agreement for sharing less frequent updates
 78 | 5. The vendor should notify [ORGANISATION] when it is able to reproduce the vulnerability.
 79 | 6. The vendor should attempt to resolve the vulnerability as described in Phase 4 within 30 days of initial notification. There are valid reasons why vulnerabilities cannot be resolved within this time period. If a good faith effort is being made by the vendor to validate the vulnerability, [ORGANISATION] will delay the public disclosure of information regarding the vulnerability until a resolution is found or created.
 80 | 7. If the vendor is aware of other vendors that share the same code base as the affected product, the vendor should either (1) notify those vendors, or (2) notify a vulnerability coordinator, such as CERT/CC (http://www.cert.org), that other vendors may be affected by the reported vulnerability.
 81 | 
 82 | ## Phase 4: Resolution
 83 | 
 84 | The resolution of a vulnerability should involve action regarding one or more of the following:
 85 | 
 86 | * Patch creation;
 87 | * Recommendation of configuration change;
 88 | * Design change;
 89 | * Workaround.
 90 | 
 91 | During this phase, [ORGANISATION] recommends that the vendor should:
 92 | 
 93 | 1. Identify the fundamental nature of the flaw within the source code or in the design of the product ("diagnosis").
 94 | 2. Determine whether to (a) provide a patch, configuration or design change, or workaround that appropriately reduces or eliminates the risk of the vulnerability ("fix development"), or (b) provide [ORGANISATION] with specific reasons for their decision to pursue an alternative to fixing the vulnerability.
 95 | 3. Request time extensions from [ORGANISATION] when necessary.
 96 | 4. Test the patches, configuration changes, and workarounds sufficiently to clarify how it may or may not adversely affect the operation of the product.
 97 | 5. Provide [ORGANISATION] with details of the proposed fix ("fix development"). The vendor should also provide [ORGANISATION] with any patches so that [ORGANISATION] may optionally conduct our own testing of the fix ("patch testing"). This will help [ORGANISATION] confirm that the vulnerability has been reduced or eliminated. A vendor may have existing policies in place that require that only supported customers have access to this information; these policies should also be communicated to [ORGANISATION] by email.
 98 | 
 99 | ## Phase 5: Release
100 | 
101 | 1. [ORGANISATION] will work with the vendor to create a timetable pursuant to which the vulnerability information ("advisory") may be released to [ORGANISATION] customers, the vendor's customers and the general public in a coordinated fashion.
102 | 2. However, if the parties cannot agree to a coordinated release of the vulnerability information and a forced disclosure is triggered, [ORGANISATION] will honour a "grace period" of up to 30 days. During this time, it will unilaterally update the published list of upcoming advisories to include further summary information to the public. No details of the specific vulnerability will be disclosed in an effort to reduce the likelihood that attackers might exploit the product based on receiving the new vulnerability information. [ORGANISATION] will make every effort to describe or publish workarounds, configuration or design changes, or even patches where this information is not available from the vendor. After the expiration of the 30-day grace period [ORGANISATION] will publicly release the full Security Advisory.
103 | 3. If the vendor has not resolved the vulnerability within the timeframe determined in the Release Phase, then [ORGANISATION] may work with a coordinator, such as CERT/CC (http://www.cert.org) to announce the vulnerability to customers and the public.
104 | 4. If another security reporter has publicly announced the vulnerability before the release date agreed between by [ORGANISATION] and the vendor, [ORGANISATION] may immediately share details of the vulnerability with its customers who might be exposed to such vulnerability.
105 | 5. The security advisory will contain the following information:
106 | * Advisory references: An external MITRE supplied CVE ID;
107 | * Vendor name: The name(s) of the vendor of the product;
108 | * Vulnerable products: The name(s) of the vulnerable product(s) and the specific version(s) affected;
109 | * Vulnerability title: The type of vulnerability discovered;
110 | * Reporter: The name of the author(s) of the advisory;
111 | * Details: Some or all of the following:
112 | ** A description of how the vulnerability presents itself;
113 | ** Components and configurations that are affected;
114 | ** Mitigating factors;
115 | ** Workarounds or configuration changes to resolve the vulnerability;
116 | ** Preventative measures to address similar problems in the future.
117 | * Impact: A description of the impact the vulnerability has/can have on the system e.g. "remote execution of code" or "local privilege escalation";
118 | * Exploit code: Where deemed necessary/desirable Proof of Concept code to enable the verification of the issue(s) discovered;
119 | * Remediation: If known, [ORGANISATION] will recommend available courses of action for customers to eliminate or mitigate the vulnerability in their environment.
120 | 
121 | # References
122 | 
123 | This policy was originally derived from "Responsible Vulnerability Disclosure Process", by Steve Christey of MITRE and Chris Wysopal of @stake. Portions of this policy are also based on "Full Disclosure Policy (RFPolicy) v2.0" by Rain Forest Puppy. This policy has most recently been updated in accordance with BS ISO/IEC 30111:2013 and BS ISO/IEC 29147:2014.
124 | 
125 | # Suggestions for vendors
126 | 
127 | * Vendors should provide a security contact address on their web site and make it easy to find.
128 | * Vendors should set up a security response process to respond to security vulnerabilities in a timely manner.
129 | * Vendors should incorporate lessons learned into training for their security, IT, product and marketing organizations.
130 | * Vendors should notify customers that someone has reported a problem, present a temporary work-around and/or tell customers that they are working to provide a final resolution.
131 | * Vendors should clearly notify customers and the public when a resolution is (a) faulty, (b) revised or (c) resolved.
132 | * Vendors should credit the reporter who notified them of the vulnerability if the reporter was working to responsibly protect customers.
133 | * Vendors should create and communicate a vulnerability response policy which details how they respond to and assess reports of vulnerabilities, how long customers should expect to wait for a typical resolution, and information about vulnerability reporting standards, if any, that they follow.
134 | 
135 | # Suggestions for customers
136 | 
137 | * The customer must not assume that the lack of details in a public vulnerability report will prevent the creation of an exploit.
138 | * If a vendor has released information regarding a vulnerability, then the customer should assume that the information is credible. The customer should not require that the vulnerability be demonstrated before applying the resolution.
139 | * If a vendor has not released such information, but a well-established reporter or coordination center has, then the customer should assume that the information is credible. The customer should not require that the vulnerability be demonstrated before applying the resolution.
140 | * If vulnerability information has been released and a grace period exists, then the customer should apply the resolution to its system during the grace period immediately.
141 | * Where possible, the customer should test any patches, configuration or design changes, or workarounds on test systems before making the changes in an operational environment.
142 | * The customer should inform the vendor and the public if a patch, configuration or design change, or workaround does not appear to work as described.
143 | * The customer should give preference to products whose vendors follow coordinated disclosure practices.
144 | 


--------------------------------------------------------------------------------
/templates/advisory.html.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
 2 | <!DOCTYPE stylesheet [<!ENTITY % w3centities-f PUBLIC "-//W3C//ENTITIES Combined Set//EN//XML" "http://www.w3.org/2003/entities/2007/w3centities-f.ent">%w3centities-f;]>
 3 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:date="http://exslt.org/dates-and-times">
 4 | <xsl:output method="html" doctype-public="-//W3C//DTD XHTML 1.0 Strict//EN" media-type="application/html+xml" encoding="utf-8" omit-xml-declaration="yes" indent="yes"/>
 5 | <xsl:template match="meta">
 6 | <h1>Vulnerability title: <xsl:value-of select="title"/> in <xsl:value-of select="vendor"/><xsl:text> </xsl:text><xsl:value-of select="product"/></h1>
 7 | <table border="1">
 8 | <tr><td>CVE:</td><td><xsl:value-of select="cve"/></td></tr>
 9 | <tr><td>Vendor:</td><td><xsl:value-of select="vendor"/></td></tr>
10 | <tr><td>Product:</td><td><xsl:value-of select="product"/></td></tr>
11 | <tr><td>Affected version:</td><td><xsl:value-of select="affectedversion"/></td></tr>
12 | <tr><td>Fixed version:</td><td><xsl:value-of select="fixedversion"/></td></tr>
13 | <tr><td>Reported by:</td><td><xsl:value-of select="reporter"/></td></tr>
14 | </table>
15 | </xsl:template>
16 | <xsl:template match="description">
17 | <xsl:copy-of select="."/>
18 | </xsl:template>
19 | <xsl:template match="impact">
20 | <h3>Impact:</h3>
21 | <xsl:copy-of select="."/>
22 | </xsl:template>
23 | <xsl:template match="exploit">
24 | <h3>Exploit:</h3>
25 | <xsl:copy-of select="."/>
26 | </xsl:template>
27 | <xsl:template match="remediation">
28 | <h3>Remediation:</h3>
29 | <xsl:copy-of select="."/>
30 | </xsl:template>
31 | <xsl:template match="details">
32 | <h3>Details:</h3>
33 | <xsl:apply-templates select="description"/>
34 | <xsl:apply-templates select="impact"/>
35 | <xsl:apply-templates select="exploit"/>
36 | <xsl:apply-templates select="remediation"/>
37 | </xsl:template>
38 | <xsl:template match="status">
39 | <h3>Vendor status:</h3>
40 | <table border="1">
41 | <xsl:for-each select="update">
42 | <tr><td><xsl:value-of select="date"/></td><td><xsl:value-of select="comment"/></td></tr>
43 | </xsl:for-each>
44 | <tr><td><xsl:value-of select="substring(date:date-time(), 9, 2)"/>/<xsl:value-of select="substring(date:date-time(), 6, 2)"/>/<xsl:value-of select="substring(date:date-time(), 1, 4)"/></td><td>Published</td></tr>
45 | </table>
46 | </xsl:template>
47 | <xsl:template match="advisory">
48 | <div>
49 | <xsl:apply-templates select="meta"/>
50 | <xsl:apply-templates select="details"/>
51 | <xsl:apply-templates select="status"/>
52 | </div>
53 | <div>
54 | <h5>Copyright:</h5>
55 | <p>Copyright &copy; [ORGANISATION] <xsl:value-of select="date:year()"/>, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of [ORGANISATION].</p>
56 | <h5>Disclaimer:</h5>
57 | <p>The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor ([ORGANISATION]) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.</p>
58 | </div>
59 | </xsl:template>
60 | <xsl:template match="/">
61 | <html>
62 | <body>
63 | <xsl:apply-templates select="advisory"/>
64 | </body>
65 | </html>
66 | </xsl:template>
67 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/templates/advisory.md.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:date="http://exslt.org/dates-and-times">
 3 | <xsl:output method="text" indent="no"/>
 4 | <xsl:template match="meta">
 5 | # Vulnerability title: <xsl:value-of select="title"/> In <xsl:value-of select="vendor"/><xsl:text> </xsl:text><xsl:value-of select="product"/>
 6 | CVE:|<xsl:value-of select="cve"/>
 7 | Vendor:|<xsl:value-of select="vendor"/>
 8 | Product:|<xsl:value-of select="product"/>
 9 | Affected version:|<xsl:value-of select="affectedversion"/>
10 | Fixed version:|<xsl:value-of select="fixedversion"/>
11 | Reported by:|<xsl:value-of select="reporter"/>
12 | </xsl:template>
13 | <xsl:template match="description">
14 | <xsl:value-of select="."/>
15 | </xsl:template>
16 | <xsl:template match="impact">
17 | ### Impact:
18 | <xsl:value-of select="."/>
19 | </xsl:template>
20 | <xsl:template match="exploit">
21 | ### Exploit:
22 | <xsl:value-of select="."/>
23 | </xsl:template>
24 | <xsl:template match="remediation">
25 | ### Remediation:
26 | <xsl:value-of select="."/>
27 | </xsl:template>
28 | <xsl:template match="details">
29 | ### Details:
30 | <xsl:apply-templates select="description"/>
31 | <xsl:apply-templates select="impact"/>
32 | <xsl:apply-templates select="exploit"/>
33 | <xsl:apply-templates select="remediation"/>
34 | </xsl:template>
35 | <xsl:template match="status">
36 | ### Status:
37 | <xsl:for-each select="update">
38 | - <xsl:value-of select="date"/> - <xsl:value-of select="comment"/><xsl:text>
39 | </xsl:text>
40 | </xsl:for-each>
41 | - <xsl:value-of select="substring(date:date-time(), 9, 2)"/>/<xsl:value-of select="substring(date:date-time(), 6, 2)"/>/<xsl:value-of select="substring(date:date-time(), 1, 4)"/> - Published
42 | </xsl:template>
43 | <xsl:template match="advisory">
44 | <xsl:apply-templates select="meta"/>
45 | <xsl:apply-templates select="details"/>
46 | <xsl:apply-templates select="status"/>
47 | Copyright:
48 | Copyright (c) [ORGANISATION] <xsl:value-of select="date:year()"/>, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of [ORGANISATION].
49 | 
50 | Disclaimer:
51 | The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor ([ORGANISATION]) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
52 | </xsl:template>
53 | <xsl:template match="/">
54 | <html>
55 | <body>
56 | <xsl:apply-templates select="advisory"/>
57 | </body>
58 | </html>
59 | </xsl:template>
60 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/templates/advisory.txt.xsl:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
 2 | <xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:date="http://exslt.org/dates-and-times">
 3 | <xsl:output method="text" indent="no"/>
 4 | <xsl:template match="meta">
 5 | Vulnerability title: <xsl:value-of select="title"/> In <xsl:value-of select="vendor"/><xsl:text> </xsl:text><xsl:value-of select="product"/>
 6 | CVE: <xsl:value-of select="cve"/>
 7 | Vendor: <xsl:value-of select="vendor"/>
 8 | Product: <xsl:value-of select="product"/>
 9 | Affected version: <xsl:value-of select="affectedversion"/>
10 | Fixed version: <xsl:value-of select="fixedversion"/>
11 | Reported by: <xsl:value-of select="reporter"/>
12 | </xsl:template>
13 | <xsl:template match="description">
14 | <xsl:value-of select="."/>
15 | </xsl:template>
16 | <!-- <xsl:template match="impact">
17 | Impact:
18 | <xsl:value-of select="."/>
19 | </xsl:template>
20 | <xsl:template match="exploit">
21 | Exploit:
22 | <xsl:value-of select="."/>
23 | </xsl:template>
24 | <xsl:template match="remediatio">
25 | Remediation:
26 | <xsl:value-of select="."/>
27 | </xsl:template>
28 | -->
29 | <xsl:template match="details">
30 | Details:
31 | <xsl:apply-templates select="description"/>
32 | Further details at:
33 | 
34 | [PUBLISHED ADVISORY URL]
35 | <!-- <xsl:apply-templates select="impact"/>
36 | <xsl:apply-templates select="exploit"/>
37 | <xsl:apply-templates select="remediation"/> -->
38 | </xsl:template>
39 | <!--<xsl:template match="status">
40 | Vendor status:
41 | <xsl:for-each select="update">
42 | <xsl:value-of select="date"/> - <xsl:value-of select="comment"/><xsl:text>
43 | </xsl:text>
44 | </xsl:for-each>
45 | <xsl:value-of select="substring(date:date-time(), 9, 2)"/>/<xsl:value-of select="substring(date:date-time(), 6, 2)"/>/<xsl:value-of select="substring(date:date-time(), 1, 4)"/> - Published
46 | </xsl:template> -->
47 | <xsl:template match="advisory">
48 | <xsl:apply-templates select="meta"/>
49 | <xsl:apply-templates select="details"/>
50 | <!-- <xsl:apply-templates select="status"/> -->
51 | Copyright:
52 | Copyright (c) [ORGANISATION] <xsl:value-of select="date:year()"/>, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of [ORGANISATION].
53 | 
54 | Disclaimer:
55 | The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor ([ORGANISATION]) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
56 | </xsl:template>
57 | <xsl:template match="/">
58 | <html>
59 | <body>
60 | <xsl:apply-templates select="advisory"/>
61 | </body>
62 | </html>
63 | </xsl:template>
64 | </xsl:stylesheet>


--------------------------------------------------------------------------------
/templates/advisory.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="ISO-8859-1"?>
 2 | <?xml-stylesheet type="text/xsl" href="advisory.xsl"?>
 3 | <advisory version="3">
 4 |         <meta>
 5 |                 <id>1337</id> 
 6 |                 <cve>CVE-NNNN-NNNN</cve>
 7 |                 <vendor>VENDOR</vendor>
 8 |                 <product>PRODUCT</product>
 9 |                 <affectedversion>10.1.1.1</affectedversion>
10 |                 <fixedversion>10.1.1.2</fixedversion>
11 |                 <title>REMOTE CODE EXECUTION</title> 
12 |                 <reporter>TEAM MEMBER</reporter>
13 |         </meta>
14 |         <status>
15 | 		<update><date>21/10/2014</date><comment>Advisory created</comment></update>
16 |                 <update><date>28/10/2014</date><comment>Vendor contacted</comment></update>
17 | 		<update><date>25/11/2014</date><comment>Vendor working on a fix</comment></update>
18 |                 <update><date>03/12/2014</date><comment>Fix released</comment></update>
19 |                 <update><date>03/12/2014</date><comment>Fix confirmed</comment></update>
20 |                 <update><date>XX/XX/2014</date><comment>CVE obtained</comment></update>
21 |         </status>
22 |         <details>
23 | 		<description>
24 | <p>blah blah blah blah....</p>
25 | 		</description>
26 | 		<impact>
27 | <p>This vulnerability allows....</p>
28 | 		</impact>
29 | 		<exploit>
30 | <p>The proof of concept exploit is available...</p>
31 |         	</exploit>
32 | 		<remediation>
33 | <p>The vendor has released a patch:</p>
34 | <ul>
35 | 	<li>http://vendorspatchserver/patch.tar.gz</li>
36 | </ul>
37 | 	`	</remediation>
38 | 	</details>
39 | </advisory>
40 | 


--------------------------------------------------------------------------------